|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
01-11-2008, 12:31 PM
|
#1 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 19
OS: Windows XP (SP2)
|
Malware Help Please!
Running XP with 4 users at home. Only on one user's desktop does the problem occur. Constant pop-ups regarding worm.win32.netsky virus, red X in system tray and redirects from IE to virus clean-up web sites and the "Error Cleaner", "Privacy Protector" & "Spyware & Malware Protection" icons also appear on this user's desktop. The link bar on all users contain "Remove Popups" "Scan Spyware" "Security Test" and "Spam Protection". "The ensfolr" link bar appears in the link bar drop down list. I ran the SmitfraudFix in addition to AVG and I think that the malware may still be present. I attempted to run the Panda ActiveScan software but it never ran; it just sat there (~ 20 minutes) without showing any status of execution.
Attached are the main.txt and extra.txt files output from DSS: Deckard's System Scanner v20071014.68 Run by Daddy on 2008-01-11 14:56:44 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 5: 2008-01-11 19:56:49 UTC - RP40 - Deckard's System Scanner Restore Point 4: 2008-01-11 17:53:28 UTC - RP39 - Restore Operation 3: 2008-01-11 08:13:56 UTC - RP38 - System Checkpoint 2: 2008-01-10 08:00:18 UTC - RP37 - Software Distribution Service 3.0 1: 2008-01-08 03:03:29 UTC - RP36 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2008-01-11 14:58:21 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\HP\HP Software Update\hpwuSchd2.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Daddy\Desktop\dss.exe R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: BDEX System - {5085333B-FD15-4754-A571-852F7077C5F2} - C:\WINDOWS\dxpvqlmqng.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Common Files\Symantec Shared\IDS\IPSBHO.dll O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll O3 - Toolbar: The ensfolr - {A037112F-183D-4E98-8CEA-1A0D93BA9F48} - C:\WINDOWS\ensfolr.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\Owner\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1197743959218 O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 6867 bytes -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- All drivers whitelisted. -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- All services whitelisted. -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Scheduled Tasks ------------------------------------------------------------- 2008-01-07 22:32:48 622 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Daddy.job -- Files created between 2007-12-11 and 2008-01-11 ----------------------------- 2008-01-11 14:09:08 0 d-------- C:\WINDOWS\LastGood 2008-01-11 13:10:47 2814 --a------ C:\WINDOWS\system32\tmp.reg 2008-01-11 11:16:07 0 d-------- C:\Documents and Settings\Daddy\Application Data\Grisoft 2008-01-11 10:54:38 0 d-------- C:\WINDOWS\system32\ActiveScan 2008-01-11 03:13:53 229376 --a------ C:\Documents and Settings\LocalService\ntuser.dat 2008-01-11 03:13:53 1572864 --a------ C:\Documents and Settings\Daddy\ntuser.dat 2008-01-06 23:26:41 81920 --a------ C:\WINDOWS\foxflpd.exe 2008-01-06 23:26:41 176128 --a------ C:\WINDOWS\ensfolr.dll <Not Verified; ; ensfolr Module> 2008-01-06 23:26:41 253952 --a------ C:\WINDOWS\dxpvqlmqng.dll <Not Verified; ; dxpvqlmqng> 2008-01-02 12:25:49 0 d-------- C:\Documents and Settings\Daddy\Application Data\acccore 2007-12-30 10:00:32 0 d-------- C:\Downloads 2007-12-27 00:12:28 0 d-------- C:\Documents and Settings\Mommy\Application Data\acccore 2007-12-24 11:29:58 0 d-------- C:\Documents and Settings\Mommy\Application Data\Macromedia 2007-12-24 11:29:40 0 d-------- C:\Documents and Settings\Mommy\Application Data\Adobe 2007-12-23 19:59:43 0 d-------- C:\Documents and Settings\Lindsay\Application Data\Viewpoint 2007-12-20 10:24:15 0 d-------- C:\Documents and Settings\Lindsay\Application Data\acccore 2007-12-20 03:00:26 0 d-------- C:\Program Files\MSXML 4.0 2007-12-18 22:01:01 0 d-------- C:\Documents and Settings\Alyssa\Application Data\acccore 2007-12-18 21:55:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint 2007-12-18 21:55:50 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL 2007-12-18 21:55:50 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP 2007-12-18 21:55:33 0 d-------- C:\Program Files\Common Files\AOL 2007-12-18 21:55:30 0 d-------- C:\Program Files\AIM6 2007-12-18 21:54:59 0 d-------- C:\Documents and Settings\Alyssa\Application Data\Macromedia 2007-12-18 21:54:46 0 d-------- C:\Documents and Settings\Alyssa\Application Data\Adobe 2007-12-18 19:46:53 0 d-------- C:\Documents and Settings\Daddy\Application Data\SierraHome 2007-12-18 19:38:52 0 d-------- C:\Documents and Settings\All Users\Application Data\SierraHome 2007-12-18 19:32:25 0 d-------- C:\Program Files\Common Files\Nova Development 2007-12-18 19:32:06 0 d-------- C:\Program Files\SierraHome 2007-12-18 16:56:33 0 d-------- C:\Documents and Settings\Lindsay\Application Data\Macromedia 2007-12-17 20:36:51 0 d-------- C:\Documents and Settings\Lindsay\Application Data\Adobe 2007-12-17 20:36:28 0 d-------- C:\Documents and Settings\Lindsay\Application Data\Symantec 2007-12-17 20:35:50 0 d-------- C:\Documents and Settings\Alyssa\Application Data\Symantec 2007-12-17 20:34:34 0 d-------- C:\Documents and Settings\Mommy\Application Data\Symantec 2007-12-17 20:13:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe 2007-12-17 20:13:30 0 d-------- C:\Program Files\Common Files\Adobe 2007-12-17 20  51 0 d-------- C:\Documents and Settings\Daddy\Application Data\AdobeUM2007-12-17 20:02:33 0 d-------- C:\Documents and Settings\Daddy\Application Data\Symantec 2007-12-17 20:01:12 0 d-------- C:\Program Files\Windows Sidebar 2007-12-17 20:00:30 0 d-------- C:\Program Files\Norton Internet Security 2007-12-17 19:59:48 0 d-------- C:\Program Files\Symantec 2007-12-17 19:54:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7 2007-12-17 19:24:15 0 d-------- C:\Program Files\Common Files\Symantec Shared 2007-12-17 19:24:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec 2007-12-17 19:03:32 0 d-------- C:\Documents and Settings\Daddy\Application Data\Macromedia 2007-12-17 18:38:54 0 d-------- C:\Documents and Settings\All Users\Application Data\HP 2007-12-17 18:38:16 0 d-------- C:\Program Files\Hewlett-Packard 2007-12-17 18:34:43 57344 --a------ C:\WINDOWS\system32\HPZisn12.dll <Not Verified; HP; HP SNMP Windows> 2007-12-17 18:34:43 94208 --a------ C:\WINDOWS\system32\HPZipt12.dll <Not Verified; HP; HP SNMP Windows> 2007-12-17 18:34:43 204800 --a------ C:\WINDOWS\system32\HPZipr12.dll <Not Verified; HP; HP PmlRtl> 2007-12-17 18:34:43 69632 --a------ C:\WINDOWS\system32\HPZipm12.exe <Not Verified; HP; HP PML> 2007-12-17 18:34:43 61440 --a------ C:\WINDOWS\system32\HPZinw12.exe <Not Verified; HP; HP Dot4Net Windows> 2007-12-17 18:34:43 278584 --a------ C:\WINDOWS\system32\HPZidr12.dll <Not Verified; HP; HP Dot4Rtl> 2007-12-17 18:34:42 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller> 2007-12-17 18:33:13 3979 -----n--- C:\WINDOWS\hphmdl08.dat 2007-12-17 18:33:13 80793 --a------ C:\WINDOWS\HPHins08.dat 2007-12-17 18:32:09 0 d-------- C:\Documents and Settings\Daddy\Application Data\HP 2007-12-17 18:28:18 0 d-------- C:\Documents and Settings\Daddy\Application Data\Adobe 2007-12-17 18:18:49 0 d-------- C:\Program Files\HP 2007-12-17 18:18:47 0 d-------- C:\WINDOWS\Downloaded Installations 2007-12-17 11:21:42 0 d-------- C:\Documents and Settings\Mommy\Application Data\CyberLink 2007-12-17 10:50:48 0 d-------- C:\Documents and Settings\Mommy\Application Data\Grisoft 2007-12-17 10:50:40 0 d-------- C:\Documents and Settings\Mommy\Application Data\Identities 2007-12-17 10:50:32 0 d--h----- C:\Documents and Settings\Mommy\Templates 2007-12-17 10:50:32 0 dr------- C:\Documents and Settings\Mommy\Start Menu 2007-12-17 10:50:32 0 dr-h----- C:\Documents and Settings\Mommy\SendTo 2007-12-17 10:50:32 0 dr-h----- C:\Documents and Settings\Mommy\Recent 2007-12-17 10:50:32 0 d--h----- C:\Documents and Settings\Mommy\PrintHood 2007-12-17 10:50:32 1572864 --a------ C:\Documents and Settings\Mommy\ntuser.dat 2007-12-17 10:50:32 0 d--h----- C:\Documents and Settings\Mommy\NetHood 2007-12-17 10:50:32 0 dr------- C:\Documents and Settings\Mommy\My Documents 2007-12-17 10:50:32 0 d--h----- C:\Documents and Settings\Mommy\Local Settings 2007-12-17 10:50:32 0 dr------- C:\Documents and Settings\Mommy\Favorites 2007-12-17 10:50:32 0 d-------- C:\Documents and Settings\Mommy\Desktop 2007-12-17 10:50:32 0 d--hs---- C:\Documents and Settings\Mommy\Cookies 2007-12-17 10:50:32 0 dr-h----- C:\Documents and Settings\Mommy\Application Data 2007-12-17 10:50:32 0 d---s---- C:\Documents and Settings\Mommy\Application Data\Microsoft 2007-12-17 10:40:29 0 d-------- C:\Documents and Settings\Lindsay\Application Data\Grisoft 2007-12-17 10:40:11 0 d-------- C:\Documents and Settings\Lindsay\Application Data\Identities 2007-12-17 10:39:59 0 d--h----- C:\Documents and Settings\Lindsay\Templates 2007-12-17 10:39:59 0 dr------- C:\Documents and Settings\Lindsay\Start Menu 2007-12-17 10:39:59 0 dr-h----- C:\Documents and Settings\Lindsay\SendTo 2007-12-17 10:39:59 0 dr-h----- C:\Documents and Settings\Lindsay\Recent 2007-12-17 10:39:59 0 d--h----- C:\Documents and Settings\Lindsay\PrintHood 2007-12-17 10:39:59 1048576 --a------ C:\Documents and Settings\Lindsay\ntuser.dat 2007-12-17 10:39:59 0 d--h----- C:\Documents and Settings\Lindsay\NetHood 2007-12-17 10:39:59 0 dr------- C:\Documents and Settings\Lindsay\My Documents 2007-12-17 10:39:59 0 d--h----- C:\Documents and Settings\Lindsay\Local Settings 2007-12-17 10:39:59 0 dr------- C:\Documents and Settings\Lindsay\Favorites 2007-12-17 10:39:59 0 d-------- C:\Documents and Settings\Lindsay\Desktop 2007-12-17 10:39:59 0 d--hs---- C:\Documents and Settings\Lindsay\Cookies 2007-12-17 10:39:59 0 dr-h----- C:\Documents and Settings\Lindsay\Application Data 2007-12-17 10:39:59 0 d---s---- C:\Documents and Settings\Lindsay\Application Data\Microsoft 2007-12-17 10:37:03 0 d-------- C:\Documents and Settings\Alyssa\Application Data\Grisoft 2007-12-17 10:36:57 0 d-------- C:\Documents and Settings\Alyssa\Application Data\Identities 2007-12-17 10:36:48 0 dr------- C:\Documents and Settings\Alyssa\Favorites 2007-12-17 10:36:48 0 d-------- C:\Documents and Settings\Alyssa\Desktop 2007-12-17 10:36:48 0 d--hs---- C:\Documents and Settings\Alyssa\Cookies 2007-12-17 10:36:48 0 dr-h----- C:\Documents and Settings\Alyssa\Application Data 2007-12-17 10:36:48 0 d---s---- C:\Documents and Settings\Alyssa\Application Data\Microsoft 2007-12-17 10:36:47 0 d--h----- C:\Documents and Settings\Alyssa\Templates 2007-12-17 10:36:47 0 dr------- C:\Documents and Settings\Alyssa\Start Menu 2007-12-17 10:36:47 0 dr-h----- C:\Documents and Settings\Alyssa\SendTo 2007-12-17 10:36:47 0 dr-h----- C:\Documents and Settings\Alyssa\Recent 2007-12-17 10:36:47 0 d--h----- C:\Documents and Settings\Alyssa\PrintHood 2007-12-17 10:36:47 1572864 --a------ C:\Documents and Settings\Alyssa\ntuser.dat 2007-12-17 10:36:47 0 d--h----- C:\Documents and Settings\Alyssa\NetHood 2007-12-17 10:36:47 0 dr------- C:\Documents and Settings\Alyssa\My Documents 2007-12-17 10:36:47 0 d--h----- C:\Documents and Settings\Alyssa\Local Settings 2007-12-17 10:30:59 0 d-------- C:\Documents and Settings\Daddy\Application Data\Identities 2007-12-17 10:30:47 0 dr-h----- C:\Documents and Settings\Daddy\Application Data 2007-12-17 10:30:46 0 d--h----- C:\Documents and Settings\Daddy\Templates 2007-12-17 10:30:46 0 dr------- C:\Documents and Settings\Daddy\Start Menu 2007-12-17 10:30:46 0 dr-h----- C:\Documents and Settings\Daddy\SendTo 2007-12-17 10:30:46 0 dr-h----- C:\Documents and Settings\Daddy\Recent 2007-12-17 10:30:46 0 d--h----- C:\Documents and Settings\Daddy\PrintHood 2007-12-17 10:30:46 0 d--h----- C:\Documents and Settings\Daddy\NetHood 2007-12-17 10:30:46 0 dr------- C:\Documents and Settings\Daddy\My Documents 2007-12-17 10:30:46 0 d--h----- C:\Documents and Settings\Daddy\Local Settings 2007-12-17 10:30:46 0 dr------- C:\Documents and Settings\Daddy\Favorites 2007-12-17 10:30:46 0 d-------- C:\Documents and Settings\Daddy\Desktop 2007-12-17 10:30:46 0 d--hs---- C:\Documents and Settings\Daddy\Cookies 2007-12-17 10:27:06 0 d-------- C:\Program Files\TurboTax 2007-12-17 10:26:31 0 d-------- C:\Program Files\iTunes 2007-12-17 10:26:17 0 d-------- C:\Program Files\ItsDeductible2006 2007-12-15 14:38:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-12-15 14:31:26 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck> 2007-12-15 14:30:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Ahead 2007-12-15 14:30:17 364544 -----n--- C:\WINDOWS\system32\TwnLib4.dll <Not Verified; Pegasus Imaging Corp.; TwnLib4> 2007-12-15 14:30:17 471040 -----n--- C:\WINDOWS\system32\ImagXRA7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7> 2007-12-15 14:30:17 262144 -----n--- C:\WINDOWS\system32\ImagXR7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7> 2007-12-15 14:30:17 1568768 -----n--- C:\WINDOWS\system32\ImagX7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7> 2007-12-15 14:30:16 106496 --a------ C:\WINDOWS\system32\TwnLib20.dll <Not Verified; Pegasus Software; TWNLIB20> 2007-12-15 14:30:16 38912 -----n--- C:\WINDOWS\system32\picn20.dll <Not Verified; Pegasus Imaging Corp.; PEGASUS> 2007-12-15 14:30:14 0 d-------- C:\Program Files\Common Files\Ahead 2007-12-15 14:30:10 0 d-------- C:\Program Files\Ahead 2007-12-15 14:28:56 0 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink 2007-12-15 14:28:51 0 d-------- C:\Program Files\CyberLink 2007-12-15 14:18:30 0 d-------- C:\Program Files\Microsoft ActiveSync 2007-12-15 14:18:19 0 d-------- C:\WINDOWS\SHELLNEW 2007-12-15 14:15:06 0 dr-h----- C:\MSOCache 2007-12-15 14 38 0 d-------- C:\WINDOWS\network diagnostic2007-12-15 13:46:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage 2007-12-15 13:41:58 0 d-------- C:\WINDOWS\system32\PreInstall 2007-12-15 13:39:39 0 d-------- C:\WINDOWS\system32\SoftwareDistribution 2007-12-15 13:30:16 0 d-------- C:\Program Files\Broadcom 2007-12-15 13:26:42 0 d-------- C:\WINDOWS\Drivers 2007-12-15 13:24:40 49152 --a------ C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp> 2007-12-15 13:24:40 45056 --a------ C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp> 2007-12-15 13:24:40 0 d-------- C:\Program Files\Analog Devices 2007-12-15 13:23:02 0 d-------- C:\Program Files\Intel 2007-12-15 13:22:32 0 d-------- C:\WINDOWS\system32\ReinstallBackups 2007-12-15 13:22:31 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-12-15 13:22:22 0 d-------- C:\Program Files\Common Files\InstallShield 2007-12-15 13:22:02 0 d-------- C:\dell 2007-12-15 13:01:37 0 d-------- C:\WINDOWS\SoftwareDistribution 2007-12-15 13:01:36 0 d-------- C:\WINDOWS\Prefetch 2007-12-15 13:01:35 0 d---s---- C:\WINDOWS\system32\Microsoft 2007-12-15 13:01:34 0 d--h----- C:\Documents and Settings\LocalService\Local Settings 2007-12-15 13:01:34 0 d--hs---- C:\Documents and Settings\LocalService\Cookies 2007-12-15 13:01:34 0 d-------- C:\Documents and Settings\LocalService\Application Data 2007-12-15 13:01:34 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft 2007-12-15 13:01:04 225280 --a------ C:\Documents and Settings\NetworkService\NTUSER.DAT 2007-12-15 13:01:04 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings 2007-12-15 13:01:04 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies 2007-12-15 13:01:04 0 d-------- C:\Documents and Settings\NetworkService\Application Data 2007-12-15 13:01:04 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft 2007-12-15 12:58:44 0 d-------- C:\WINDOWS\system32\xircom 2007-12-15 12:58:44 0 d-------- C:\Program Files\microsoft frontpage 2007-12-15 12:58:42 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT 2007-12-15 12:58:40 0 d--h----- C:\WINDOWS\$hf_mig$ 2007-12-15 12:58:25 0 -rahs---- C:\MSDOS.SYS 2007-12-15 12:58:25 0 -rahs---- C:\IO.SYS 2007-12-15 12:58:25 0 --a------ C:\CONFIG.SYS 2007-12-15 12:58:25 0 --a------ C:\AUTOEXEC.BAT 2007-12-15 12:57:36 0 d--hs---- C:\Documents and Settings\All Users\DRM 2007-12-15 12:57:27 0 dr------- C:\WINDOWS\Offline Web Pages 2007-12-15 12:57:27 0 d---s---- C:\WINDOWS\Downloaded Program Files 2007-12-15 12:57:18 0 d--h----- C:\Program Files\WindowsUpdate 2007-12-15 12:56:59 0 d-------- C:\WINDOWS\system32\DirectX 2007-12-15 12:56:27 0 d---s---- C:\WINDOWS\Tasks 2007-12-15 12:56:26 0 d-------- C:\Program Files\Common Files\MSSoap 2007-12-15 12:56:22 0 d-------- C:\WINDOWS\srchasst 2007-12-15 12:56:21 0 d-------- C:\WINDOWS\system32\Macromed 2007-12-15 12:56:12 0 d-------- C:\Program Files\Movie Maker 2007-12-15 12:56:04 0 d-------- C:\WINDOWS\system32\Restore 2007-12-15 12:55:43 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat 2007-12-15 12:55:30 0 d-------- C:\WINDOWS\Registration 2007-12-15 12:55:07 0 d-------- C:\Program Files\Online Services 2007-12-15 12:55:03 0 d-------- C:\Program Files\Messenger 2007-12-15 12:54:59 0 d-------- C:\Program Files\MSN Gaming Zone 2007-12-15 12:54:22 0 d-------- C:\Program Files\Windows NT 2007-12-15 12:54:19 0 d-------- C:\WINDOWS\system32\MsDtc 2007-12-15 12:54:17 0 d-------- C:\WINDOWS\system32\Com 2007-12-15 07:49:11 0 d--hs---- C:\WINDOWS\Installer 2007-12-15 07:49:10 0 d-------- C:\Program Files\Common Files\ODBC 2007-12-15 07:49:07 0 d-------- C:\Program Files\Common Files\SpeechEngines 2007-12-15 07:49:06 0 dr------- C:\Program Files 2007-12-15 07:49:06 0 d-------- C:\Program Files\Common Files 2007-12-15 07:48:43 0 d--h----- C:\Documents and Settings\Default User\Templates 2007-12-15 07:48:43 0 dr------- C:\Documents and Settings\Default User\Start Menu 2007-12-15 07:48:43 0 dr-h----- C:\Documents and Settings\Default User\SendTo 2007-12-15 07:48:43 0 d--h----- C:\Documents and Settings\Default User\Recent 2007-12-15 07:48:43 0 d--h----- C:\Documents and Settings\Default User\PrintHood 2007-12-15 07:48:43 0 d--h----- C:\Documents and Settings\Default User\NetHood 2007-12-15 07:48:43 0 d-------- C:\Documents and Settings\Default User\My Documents 2007-12-15 07:48:43 0 dr-h----- C:\Documents and Settings\Default User\Local Settings 2007-12-15 07:48:43 0 d-------- C:\Documents and Settings\Default User\Favorites 2007-12-15 07:48:43 0 d-------- C:\Documents and Settings\Default User\Desktop 2007-12-15 07:48:43 0 d---s---- C:\Documents and Settings\Default User\Cookies 2007-12-15 07:48:43 0 d--h----- C:\Documents and Settings\All Users\Templates 2007-12-15 07:48:43 0 dr------- C:\Documents and Settings\All Users\Start Menu 2007-12-15 07:48:43 0 d-------- C:\Documents and Settings\All Users\Favorites 2007-12-15 07:48:43 0 dr------- C:\Documents and Settings\All Users\Documents 2007-12-15 07:48:43 0 d-------- C:\Documents and Settings\All Users\Desktop 2007-12-15 07:48:31 0 d-------- C:\WINDOWS\system32\CatRoot2 2007-12-15 07:48:31 0 d-------- C:\WINDOWS\system32\CatRoot 2007-12-15 07:48:26 0 dr-h----- C:\Documents and Settings\Default User\Application Data 2007-12-15 07:48:26 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft 2007-12-15 07:48:25 0 dr-h----- C:\Documents and Settings\All Users\Application Data 2007-12-15 07:48:25 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft 2007-12-15 07:48:02 0 d--hs---- C:\System Volume Information 2007-12-15 07:48:02 0 d-------- C:\Documents and Settings 2007-12-15 07:41:31 0 d-------- C:\WINDOWS 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\WinSxS 2007-12-15 07:41:31 0 dr------- C:\WINDOWS\Web 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\twain_32 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\wins 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\wbem 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\usmt 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\spool 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\ShellExt 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\Setup 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\ras 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\oobe 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\npp 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\mui 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\inetsrv 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\IME 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\icsxml 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\ias 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\export 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\drivers 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\drivers\etc 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\drivers\disdn 2007-12-15 07:41:31 0 dr-hs--c- C:\WINDOWS\system32\dllcache 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\dhcp 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\config 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\3com_dmi 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\3076 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\2052 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\1054 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\1042 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\1041 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\1037 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\1033 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\1031 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\1028 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system32\1025 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\system 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\security 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\Resources 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\repair 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\Provisioning 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\PeerNet 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\pchealth 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\mui 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\msapps 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\msagent 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\Media 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\java 2007-12-15 07:41:31 0 d--h----- C:\WINDOWS\inf 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\ime 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\Help 2007-12-15 07:41:31 0 dr--s---- C:\WINDOWS\Fonts 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\Driver Cache 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\Debug 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\Cursors 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\Connection Wizard 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\Config 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\AppPatch 2007-12-15 07:41:31 0 d-------- C:\WINDOWS\addins -- Find3M Report --------------------------------------------------------------- 2007-12-15 07:48:43 62 --ahs---- C:\Documents and Settings\Daddy\Application Data\desktop.ini -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5085333B-FD15-4754-A571-852F7077C5F2}] 01/05/2008 09:06 AM 253952 --a------ C:\WINDOWS\dxpvqlmqng.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}] 08/24/2007 10:51 PM 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}] 12/17/2007 08:01 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [08/24/2007 10:51 PM 316784] [-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}] [HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1] [HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [02/10/2004 11:55 AM] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [02/10/2004 11:51 AM] "UIUCU"="C:\DOCUME~1\Owner\LOCALS~1\Temp\UIUCU.exe" [] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM] "HPHUPD08"="C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [07/11/2006 03:27 PM] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [08/18/2005 10:00 PM] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [08/25/2007 12:07 AM] "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [08/24/2007 11:53 PM] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 04:25 AM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 07:00 AM] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [] "Aim6"="C:\Program Files\AIM6\aim6.exe" [10/04/2007 10:20 AM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [8/18/2005 10:20:30 PM] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) *Newly Created Service* - COMHOST -- End of Deckard's System Scanner: finished at 2008-01-11 14:59:27 ------------ Deckard's System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Home Edition (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: Intel(R) Pentium(R) 4 CPU 2.80GHz Percentage of Memory in Use: 35% Physical Memory (total/avail): 1021.98 MiB / 662.74 MiB Pagefile Memory (total/avail): 2464.88 MiB / 2059.21 MiB Virtual Memory (total/avail): 2047.88 MiB / 1917.06 MiB C: is Fixed (NTFS) - 232.88 GiB total, 218.8 GiB free. D: is CDROM (No Media) E: is Removable (No Media) \\.\PHYSICALDRIVE0 - WDC WD2500JS-63MHB5 - 232.88 GiB - 1 partition \PARTITION0 (bootable) - Installable File System - 232.88 GiB - C: \\.\PHYSICALDRIVE1 - HP Photosmart 8200 USB Device -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is disabled. FirstRunDisabled is set. FW: Norton Internet Security v15.0.0.60 (Symantec Corporation) AV: Norton Internet Security v15.0.0.60 (Symantec Corporation) [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader" -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\Daddy\Application Data CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=USER-F19CFDDA2B ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\Daddy LOGONSERVER=\\USER-F19CFDDA2B NUMBER_OF_PROCESSORS=1 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel PROCESSOR_LEVEL=15 PROCESSOR_REVISION=0304 ProgramFiles=C:\Program Files PROMPT=$P$G SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\Daddy\LOCALS~1\Temp TMP=C:\DOCUME~1\Daddy\LOCALS~1\Temp USERDOMAIN=USER-F19CFDDA2B USERNAME=Daddy USERPROFILE=C:\Documents and Settings\Daddy windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- Alyssa (admin) Daddy (admin) Lindsay (admin) Mommy (admin) -- Add/Remove Programs --------------------------------------------------------- --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL --> C:\WINDOWS\UNNMP.exe /UNINSTALL --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81100000003} AIM 6 --> C:\Program Files\AIM6\uninst.exe AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B} AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe Broadcom 440x 10/100 Integrated Controller --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{52504CE6-E909-4113-B232-4AFEC6543A61} /l1033 ccCommon --> MsiExec.exe /I{B24E05CC-46FF-4787-BBB8-5CD516AFB118} Component Framework --> MsiExec.exe /I{31478BE1-CDE5-4753-A8B2-F6D4BC1FBE09} HP Imaging Device Functions 5.3 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat HP Photosmart 330,380,420,470,7800,8000,8200 Series --> C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\setup\hpzscr01.exe -d MsiRollbackUninstaller -datfile hphscr08.dat HP Product Detection --> MsiExec.exe /X{CAE7D1D9-3794-4169-B4DD-964ADBC534EE} HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D} HP Solution Center & Imaging Support Tools 5.3 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat Intel(R) 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel(R) 537EP V9x DF PCI Modem" Intel(R) Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572 LiveUpdate (Symantec Corporation) --> MsiExec.exe /x {E80F62FF-5D3C-4A19-8409-9721F2928206} /l*v "C:\Documents and Settings\All Users\Application Data\LuUninstall.LiveUpdate" LiveUpdate (Symantec Corporation) --> MsiExec.exe /X{E80F62FF-5D3C-4A19-8409-9721F2928206} Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91E30409-6000-11D3-8CFE-0150048383C9} Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP Nero Suite --> C:\Program Files\Common Files\Ahead\Uninstall\setup.exe /uninstall Norton AntiVirus --> MsiExec.exe /X{77FFBA7E-0973-4F39-BBDB-AC2F537578D2} Norton AntiVirus Help --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555} Norton Confidential Core --> MsiExec.exe /I{55A6283C-638A-4EE0-B491-51118554BDA2} Norton Internet Security --> MsiExec.exe /I{C1C185CA-C531-49F5-A6FA-B838405A049D} Norton Internet Security (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{C1C185CA-C531-49F5-A6FA-B838405A049D}_15_0_0_60\Setup.exe" /X Norton Protection Center --> MsiExec.exe /I{62120008-8E1E-4807-860D-A8B48F8552DB} PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall Print Artist Gold 21 --> MsiExec.exe /I{D8262480-2A04-407C-B2F7-1439B789C349} SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56} Symantec Technical Support Web Controls --> MsiExec.exe /X{9743AF47-B746-4324-B4C4-512E67D04370} SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2} -- Application Event Log ------------------------------------------------------- Event Record #/Type2295 / Error Event Submitted/Written: 01/11/2008 01 30 PMEvent ID/Source: 1002 / Application Hang Event Description: Hanging application iexplore.exe, version 7.0.6000.16574, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Event Record #/Type2076 / Error Event Submitted/Written: 01/09/2008 03:42:32 PM Event ID/Source: 101 / Automatic LiveUpdate Scheduler Event Description: Information Level: error Initialization of the COM subsystem failed. Error code: 0x8007041D. Event Record #/Type1951 / Error Event Submitted/Written: 01/07/2008 09:17:26 PM Event ID/Source: 1002 / Application Hang Event Description: Hanging application iexplore.exe, version 7.0.6000.16574, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Event Record #/Type1883 / Error Event Submitted/Written: 01/06/2008 11:23:25 PM Event ID/Source: 1002 / Application Hang Event Description: Hanging application iexplore.exe, version 7.0.6000.16574, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Event Record #/Type1723 / Error Event Submitted/Written: 01/04/2008 08 37 PMEvent ID/Source: 1002 / Application Hang Event Description: Hanging application iexplore.exe, version 7.0.6000.16574, hang module hungapp, version 0.0.0.0, hang address 0x00000000. -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type3075 / Error Event Submitted/Written: 01/11/2008 01:16:20 PM Event ID/Source: 10005 / DCOM Event Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} Event Record #/Type3074 / Error Event Submitted/Written: 01/11/2008 01:14:46 PM Event ID/Source: 10005 / DCOM Event Description: DCOM got error "%%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E} Event Record #/Type3073 / Error Event Submitted/Written: 01/11/2008 01:10:45 PM Event ID/Source: 7026 / Service Control Manager Event Description: The following boot-start or system-start driver(s) failed to load: AFD AVG Anti-Spyware Driver eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SPBBCDrv SRTSPX SYMTDI Tcpip Event Record #/Type3072 / Error Event Submitted/Written: 01/11/2008 01:10:45 PM Event ID/Source: 7001 / Service Control Manager Event Description: The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: %%31 Event Record #/Type3071 / Error Event Submitted/Written: 01/11/2008 01:10:45 PM Event ID/Source: 7001 / Service Control Manager Event Description: The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: %%31 -- End of Deckard's System Scanner: finished at 2008-01-11 14:59:27 ------------ Output of AVG: --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 12:14:29 PM 1/11/2008 + Scan result: C:\Documents and Settings\Alyssa\Cookies\alyssa@2o7[2].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Alyssa\Cookies\alyssa@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Daddy\Cookies\daddy@2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Daddy\Cookies\daddy@pandasoftware.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Daddy\Cookies\daddy@scrippshgtv.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Mommy\Cookies\mommy@2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Mommy\Cookies\mommy@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Alyssa\Cookies\alyssa@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned. C:\Documents and Settings\Alyssa\Cookies\alyssa@ads.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned. C:\Documents and Settings\Daddy\Cookies\daddy@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned. C:\Documents and Settings\Daddy\Cookies\daddy@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@ads.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned. C:\Documents and Settings\Mommy\Cookies\mommy@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned. C:\Documents and Settings\Mommy\Cookies\mommy@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned. C:\Documents and Settings\Daddy\Cookies\daddy@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned. C:\Documents and Settings\Daddy\Cookies\daddy@media.adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@media.adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned. C:\Documents and Settings\Mommy\Cookies\mommy@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned. C:\Documents and Settings\Alyssa\Cookies\alyssa@advertising[1].txt -> TrackingCookie.Advertising : Cleaned. C:\Documents and Settings\Daddy\Cookies\daddy@advertising[1].txt -> TrackingCookie.Advertising : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@advertising[2].txt -> TrackingCookie.Advertising : Cleaned. C:\Documents and Settings\Mommy\Cookies\mommy@advertising[2].txt -> TrackingCookie.Advertising : Cleaned. C:\Documents and Settings\Alyssa\Cookies\alyssa@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned. C:\Documents and Settings\Daddy\Cookies\daddy@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned. C:\Documents and Settings\Mommy\Cookies\mommy@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned. C:\Documents and Settings\Alyssa\Cookies\alyssa@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned. C:\Documents and Settings\Alyssa\Cookies\alyssa@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned. C:\Documents and Settings\Alyssa\Cookies\alyssa@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned. C:\Documents and Settings\Alyssa\Cookies\alyssa@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned. C:\Documents and Settings\Daddy\Cookies\daddy@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned. C:\Documents and Settings\Mommy\Cookies\mommy@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned. C:\Documents and Settings\Daddy\Cookies\daddy@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned. C:\Documents and Settings\Mommy\Cookies\mommy@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned. C:\Documents and Settings\Daddy\Cookies\daddy@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned. C:\Documents and Settings\Daddy\Cookies\daddy@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned. C:\Documents and Settings\Daddy\Cookies\daddy@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned. C:\Documents and Settings\Daddy\Cookies\daddy@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned. C:\Documents and Settings\Alyssa\Cookies\alyssa@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned. C:\Documents and Settings\Daddy\Cookies\daddy@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned. C:\Documents and Settings\Mommy\Cookies\mommy@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned. C:\Documents and Settings\Mommy\Cookies\mommy@search.msn[1].txt -> TrackingCookie.Msn : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@overture[1].txt -> TrackingCookie.Overture : Cleaned. C:\Documents and Settings\Alyssa\Cookies\alyssa@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned. C:\Documents and Settings\Daddy\Cookies\daddy@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned. C:\Documents and Settings\Alyssa\Cookies\alyssa@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned. C:\Documents and Settings\Daddy\Cookies\daddy@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned. C:\Documents and Settings\Alyssa\Cookies\alyssa@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned. C:\Documents and Settings\Daddy\Cookies\daddy@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned. C:\Documents and Settings\Mommy\Cookies\mommy@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned. C:\Documents and Settings\Alyssa\Cookies\alyssa@revsci[2].txt -> TrackingCookie.Revsci : Cleaned. C:\Documents and Settings\Daddy\Cookies\daddy@revsci[1].txt -> TrackingCookie.Revsci : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@revsci[1].txt -> TrackingCookie.Revsci : Cleaned. C:\Documents and Settings\Mommy\Cookies\mommy@revsci[2].txt -> TrackingCookie.Revsci : Cleaned. C:\Documents and Settings\Alyssa\Cookies\alyssa@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned. C:\Documents and Settings\Alyssa\Cookies\alyssa@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned. C:\Documents and Settings\Alyssa\Cookies\alyssa@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned. C:\Documents and Settings\Alyssa\Cookies\alyssa@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned. C:\Documents and Settings\Daddy\Cookies\daddy@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned. C:\Documents and Settings\Daddy\Cookies\daddy@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned. C:\Documents and Settings\Alyssa\Cookies\alyssa@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned. C:\Documents and Settings\Daddy\Cookies\daddy@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned. C:\Documents and Settings\Mommy\Cookies\mommy@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned. C:\Documents and Settings\Alyssa\Cookies\alyssa@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned. C:\Documents and Settings\Mommy\Cookies\mommy@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned. C:\Documents and Settings\Daddy\Cookies\daddy@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned. C:\Documents and Settings\Alyssa\Cookies\alyssa@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned. C:\Documents and Settings\Daddy\Cookies\daddy@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned. C:\Documents and Settings\Mommy\Cookies\mommy@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned. C:\Documents and Settings\Lindsay\Cookies\lindsay@zedo[1].txt -> TrackingCookie.Zedo : Cleaned. ::Report end Output of SmitFraudFix: SmitFraudFix v2.274 Scan done at 13:10:41.21, Fri 01/11/2008 Run from C:\Downloads\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix S!Ri's WS2Fix: LSP not Found. »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\WINDOWS\privacy_danger\ Deleted »»»»»»»»»»»»»»»»»»»»»»»» IEDFix IEDFix.exe by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CCS\Services\Tcpip\..\{72CBA239-63B4-49B5-B44C-3075B359FB1B}: DhcpNameServer=167.206.254.1 167.206.254.2 HKLM\SYSTEM\CS1\Services\Tcpip\..\{72CBA239-63B4-49B5-B44C-3075B359FB1B}: DhcpNameServer=167.206.254.1 167.206.254.2 HKLM\SYSTEM\CS2\Services\Tcpip\..\{72CBA239-63B4-49B5-B44C-3075B359FB1B}: DhcpNameServer=167.206.254.1 167.206.254.2 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=167.206.254.1 167.206.254.2 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=167.206.254.1 167.206.254.2 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=167.206.254.1 167.206.254.2 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End Your help is greatly appreciated. Pete |
|
     |
| Sponsored Links |
|
01-11-2008, 12:41 PM
|
#2 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 19
OS: Windows XP (SP2)
|
Re: Malware Help Please!
I failed to mention that after running SmitFraudFix and AVG when I access the affected user's desktop, error notifications regarding a file that cannot be located in directory "c:/windows/..../privacy_protection" occurs as well as the "Error Cleaner", "Privacy Protector" and "Spyware & Malware Protection" icons are still there but the icons are of the generic type as opposed to the ones that were there previously.
|
|
|
|
|
01-16-2008, 05:21 PM
|
#4 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,563
OS: 2000 Pro; XP Pro; XP Home
|
Re: Malware Help Please!
Open notepad and copy/paste the text in the quotebox below into it:
Quote:
It should look like this:  Double click on peek.bat & allow it to run. A notepad file will open. Post the contents of that file in your next reply, and close the file.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you.  Please do not ask for help via Private Message. |
|
|
|
|
|
01-17-2008, 03:53 PM
|
#5 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 19
OS: Windows XP (SP2)
|
Re: Malware Help Please!
Sorry for the long delay.
Since I am located on the East Coast of the United States and this is for my home computer I can only work on the problem in the evenings. Contents of look.txt: [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect Since last Friday, I have run a slew of AntiVirus programs and it appears that I have eliminated the "ensfolr" toolbar but now the following error message appears regularly in only the offending desktop: Cannot find 'file:///C:/WINDOWS/privacy_danger/index.htm' Any assistance would be greatly appreciated. Thanx, Pete |
|
|
|
|
01-17-2008, 04:47 PM
|
#6 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,563
OS: 2000 Pro; XP Pro; XP Home
|
Re: Malware Help Please!
Ok, I understand you're wanting to take care of things as quickly as possible. For now, please hold off on doing any more self-help, as it will just make my task more difficult.
Please run DSS once again from the Daddy account, and post it's log, so I can see the current state of the machine.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Please do not ask for help via Private Message. |
|
|
|
|
01-17-2008, 05:44 PM
|
#7 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 19
OS: Windows XP (SP2)
|
Re: Malware Help Please!
I only received the main.txt file - no extra.txt file was generated. Here's the contents of main.txt:
Deckard's System Scanner v20071014.68 Run by Daddy on 2008-01-17 20:37:27 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Daddy.exe) ----------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 8:37:32 PM, on 1/17/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\AIM6\aolsoftware.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Daddy\Desktop\dss.exe C:\PROGRA~1\HIJACK~1\Daddy.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: BDEX System - {5085333B-FD15-4754-A571-852F7077C5F2} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll O3 - Toolbar: (no name) - {A037112F-183D-4E98-8CEA-1A0D93BA9F48} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1197743959218 O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5...ndows-i586.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" -r (file missing) O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe -- Files created between 2007-12-17 and 2008-01-17 ----------------------------- 2008-01-17 11:57:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion 2008-01-16 23:01:22 0 dr-h----- C:\Documents and Settings\Daddy\Recent 2008-01-16 21:45:45 0 dr-h----- C:\Documents and Settings\Mommy\Recent 2008-01-16 21:41:48 0 d-------- C:\Program Files\Yahoo! 2008-01-16 21:41:40 0 d-------- C:\Program Files\CCleaner 2008-01-16 20:12:20 22048 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2008-01-16 20:12:20 1568032 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-01-16 20:09:17 0 d-------- C:\Program Files\Kaspersky Lab 2008-01-16 20:09:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-01-16 20:08:46 0 d-------- C:\KAV 2008-01-16 19:38:02 2560 --a------ C:\WINDOWS\system32\drivers\mchInjDrv.sys 2008-01-16 19:37:38 0 d-------- C:\Program Files\Enigma Software Group 2008-01-14 18:50:31 0 d-------- C:\Documents and Settings\Daddy\.housecall6.6 2008-01-14 18:46:44 0 d-------- C:\WINDOWS\Sun 2008-01-14 18:46:44 0 d-------- C:\Documents and Settings\Daddy\Application Data\Sun 2008-01-14 18:45:28 0 d-------- C:\Program Files\Java 2008-01-14 18:45:17 0 d-------- C:\Program Files\Common Files\Java 2008-01-11 17:24:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-01-11 13:10:47 2814 --a------ C:\WINDOWS\system32\tmp.reg 2008-01-11 11:16:07 0 d-------- C:\Documents and Settings\Daddy\Application Data\Grisoft 2008-01-11 10:54:38 0 d-------- C:\WINDOWS\system32\ActiveScan 2008-01-11 03:13:53 229376 --a------ C:\Documents and Settings\LocalService\ntuser.dat 2008-01-11 03:13:53 1835008 --a------ C:\Documents and Settings\Daddy\ntuser.dat 2008-01-06 23:26:41 81920 --a------ C:\WINDOWS\foxflpd.exe 2008-01-02 12:25:49 0 d-------- C:\Documents and Settings\Daddy\Application Data\acccore 2007-12-30 10:00:32 0 d-------- C:\Downloads 2007-12-27 00:12:28 0 d-------- C:\Documents and Settings\Mommy\Application Data\acccore 2007-12-24 11:29:58 0 d-------- C:\Documents and Settings\Mommy\Application Data\Macromedia 2007-12-24 11:29:40 0 d-------- C:\Documents and Settings\Mommy\Application Data\Adobe 2007-12-23 19:59:43 0 d-------- C:\Documents and Settings\Lindsay\Application Data\Viewpoint 2007-12-20 10:24:15 0 d-------- C:\Documents and Settings\Lindsay\Application Data\acccore 2007-12-20 03:00:26 0 d-------- C:\Program Files\MSXML 4.0 2007-12-18 22:01:01 0 d-------- C:\Documents and Settings\Alyssa\Application Data\acccore 2007-12-18 21:55:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint 2007-12-18 21:55:50 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL 2007-12-18 21:55:50 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP 2007-12-18 21:55:33 0 d-------- C:\Program Files\Common Files\AOL 2007-12-18 21:55:30 0 d-------- C:\Program Files\AIM6 2007-12-18 21:54:59 0 d-------- C:\Documents and Settings\Alyssa\Application Data\Macromedia 2007-12-18 21:54:46 0 d-------- C:\Documents and Settings\Alyssa\Application Data\Adobe 2007-12-18 19:46:53 0 d-------- C:\Documents and Settings\Daddy\Application Data\SierraHome 2007-12-18 19:38:52 0 d-------- C:\Documents and Settings\All Users\Application Data\SierraHome 2007-12-18 19:32:25 0 d-------- C:\Program Files\Common Files\Nova Development 2007-12-18 19:32:06 0 d-------- C:\Program Files\SierraHome 2007-12-18 16:56:33 0 d-------- C:\Documents and Settings\Lindsay\Application Data\Macromedia 2007-12-17 20:36:51 0 d-------- C:\Documents and Settings\Lindsay\Application Data\Adobe 2007-12-17 20:36:28 0 d-------- C:\Documents and Settings\Lindsay\Application Data\Symantec 2007-12-17 20:35:50 0 d-------- C:\Documents and Settings\Alyssa\Application Data\Symantec 2007-12-17 20:34:34 0 d-------- C:\Documents and Settings\Mommy\Application Data\Symantec 2007-12-17 20:13:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe 2007-12-17 20:13:30 0 d-------- C:\Program Files\Common Files\Adobe 2007-12-17 20 51 0 d-------- C:\Documents and Settings\Daddy\Application Data\AdobeUM2007-12-17 20:02:33 0 d-------- C:\Documents and Settings\Daddy\Application Data\Symantec 2007-12-17 20:01:12 0 d-------- C:\Program Files\Windows Sidebar 2007-12-17 20:00:30 0 d-------- C:\Program Files\Norton Internet Security 2007-12-17 19:59:48 0 d-------- C:\Program Files\Symantec 2007-12-17 19:54:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7 2007-12-17 19:24:15 0 d-------- C:\Program Files\Common Files\Symantec Shared 2007-12-17 19:24:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec 2007-12-17 19:03:32 0 d-------- C:\Documents and Settings\Daddy\Application Data\Macromedia 2007-12-17 18:38:54 0 d-------- C:\Documents and Settings\All Users\Application Data\HP 2007-12-17 18:38:16 0 d-------- C:\Program Files\Hewlett-Packard 2007-12-17 18:34:43 57344 --a------ C:\WINDOWS\system32\HPZisn12.dll <Not Verified; HP; HP SNMP Windows> 2007-12-17 18:34:43 94208 --a------ C:\WINDOWS\system32\HPZipt12.dll <Not Verified; HP; HP SNMP Windows> 2007-12-17 18:34:43 204800 --a------ C:\WINDOWS\system32\HPZipr12.dll <Not Verified; HP; HP PmlRtl> 2007-12-17 18:34:43 69632 --a------ C:\WINDOWS\system32\HPZipm12.exe <Not Verified; HP; HP PML> 2007-12-17 18:34:43 61440 --a------ C:\WINDOWS\system32\HPZinw12.exe <Not Verified; HP; HP Dot4Net Windows> 2007-12-17 18:34:43 278584 --a------ C:\WINDOWS\system32\HPZidr12.dll <Not Verified; HP; HP Dot4Rtl> 2007-12-17 18:34:42 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller> 2007-12-17 18:33:13 3979 -----n--- C:\WINDOWS\hphmdl08.dat 2007-12-17 18:33:13 80793 --a------ C:\WINDOWS\HPHins08.dat 2007-12-17 18:32:09 0 d-------- C:\Documents and Settings\Daddy\Application Data\HP 2007-12-17 18:28:18 0 d-------- C:\Documents and Settings\Daddy\Application Data\Adobe 2007-12-17 18:18:49 0 d-------- C:\Program Files\HP 2007-12-17 18:18:47 0 d-------- C:\WINDOWS\Downloaded Installations 2007-12-17 11:21:42 0 d-------- C:\Documents and Settings\Mommy\Application Data\CyberLink 2007-12-17 10:50:48 0 d-------- C:\Documents and Settings\Mommy\Application Data\Grisoft 2007-12-17 10:50:40 0 d-------- C:\Documents and Settings\Mommy\Application Data\Identities 2007-12-17 10:50:32 0 d--h----- C:\Documents and Settings\Mommy\Templates 2007-12-17 10:50:32 0 dr------- C:\Documents and Settings\Mommy\Start Menu 2007-12-17 10:50:32 0 dr-h----- C:\Documents and Settings\Mommy\SendTo 2007-12-17 10:50:32 0 d--h----- C:\Documents and Settings\Mommy\PrintHood 2007-12-17 10:50:32 1572864 --a------ C:\Documents and Settings\Mommy\ntuser.dat 2007-12-17 10:50:32 0 d--h----- C:\Documents and Settings\Mommy\NetHood 2007-12-17 10:50:32 0 dr------- C:\Documents and Settings\Mommy\My Documents 2007-12-17 10:50:32 0 d--h----- C:\Documents and Settings\Mommy\Local Settings 2007-12-17 10:50:32 0 dr------- C:\Documents and Settings\Mommy\Favorites 2007-12-17 10:50:32 0 d-------- C:\Documents and Settings\Mommy\Desktop 2007-12-17 10:50:32 0 d--hs---- C:\Documents and Settings\Mommy\Cookies 2007-12-17 10:50:32 0 dr-h----- C:\Documents and Settings\Mommy\Application Data 2007-12-17 10:50:32 0 d---s---- C:\Documents and Settings\Mommy\Application Data\Microsoft 2007-12-17 10:40:29 0 d-------- C:\Documents and Settings\Lindsay\Application Data\Grisoft 2007-12-17 10:40:11 0 d-------- C:\Documents and Settings\Lindsay\Application Data\Identities 2007-12-17 10:39:59 0 d--h----- C:\Documents and Settings\Lindsay\Templates 2007-12-17 10:39:59 0 dr------- C:\Documents and Settings\Lindsay\Start Menu 2007-12-17 10:39:59 0 dr-h----- C:\Documents and Settings\Lindsay\SendTo 2007-12-17 10:39:59 0 dr-h----- C:\Documents and Settings\Lindsay\Recent 2007-12-17 10:39:59 0 d--h----- C:\Documents and Settings\Lindsay\PrintHood 2007-12-17 10:39:59 1048576 --a------ C:\Documents and Settings\Lindsay\ntuser.dat 2007-12-17 10:39:59 0 d--h----- C:\Documents and Settings\Lindsay\NetHood 2007-12-17 10:39:59 0 dr------- C:\Documents and Settings\Lindsay\My Documents 2007-12-17 10:39:59 0 d--h----- C:\Documents and Settings\Lindsay\Local Settings 2007-12-17 10:39:59 0 dr------- C:\Documents and Settings\Lindsay\Favorites 2007-12-17 10:39:59 0 d-------- C:\Documents and Settings\Lindsay\Desktop 2007-12-17 10:39:59 0 d--hs---- C:\Documents and Settings\Lindsay\Cookies 2007-12-17 10:39:59 0 dr-h----- C:\Documents and Settings\Lindsay\Application Data 2007-12-17 10:39:59 0 d---s---- C:\Documents and Settings\Lindsay\Application Data\Microsoft 2007-12-17 10:37:03 0 d-------- C:\Documents and Settings\Alyssa\Application Data\Grisoft 2007-12-17 10:36:57 0 d-------- C:\Documents and Settings\Alyssa\Application Data\Identities 2007-12-17 10:36:48 0 dr------- C:\Documents and Settings\Alyssa\Favorites 2007-12-17 10:36:48 0 d-------- C:\Documents and Settings\Alyssa\Desktop 2007-12-17 10:36:48 0 d--hs---- C:\Documents and Settings\Alyssa\Cookies 2007-12-17 10:36:48 0 dr-h----- C:\Documents and Settings\Alyssa\Application Data 2007-12-17 10:36:48 0 d---s---- C:\Documents and Settings\Alyssa\Application Data\Microsoft 2007-12-17 10:36:47 0 d--h----- C:\Documents and Settings\Alyssa\Templates 2007-12-17 10:36:47 0 dr------- C:\Documents and Settings\Alyssa\Start Menu 2007-12-17 10:36:47 0 dr-h----- C:\Documents and Settings\Alyssa\SendTo 2007-12-17 10:36:47 0 dr-h----- C:\Documents and Settings\Alyssa\Recent 2007-12-17 10:36:47 0 d--h----- C:\Documents and Settings\Alyssa\PrintHood 2007-12-17 10:36:47 1572864 --a------ C:\Documents and Settings\Alyssa\ntuser.dat 2007-12-17 10:36:47 0 d--h----- C:\Documents and Settings\Alyssa\NetHood 2007-12-17 10:36:47 0 dr------- C:\Documents and Settings\Alyssa\My Documents 2007-12-17 10:36:47 0 d--h----- C:\Documents and Settings\Alyssa\Local Settings 2007-12-17 10:30:59 0 d-------- C:\Documents and Settings\Daddy\Application Data\Identities 2007-12-17 10:30:47 0 dr-h----- C:\Documents and Settings\Daddy\Application Data 2007-12-17 10:30:46 0 d--h----- C:\Documents and Settings\Daddy\Templates 2007-12-17 10:30:46 0 dr------- C:\Documents and Settings\Daddy\Start Menu 2007-12-17 10:30:46 0 dr-h----- C:\Documents and Settings\Daddy\SendTo 2007-12-17 10:30:46 0 d--h----- C:\Documents and Settings\Daddy\PrintHood 2007-12-17 10:30:46 0 d--h----- C:\Documents and Settings\Daddy\NetHood 2007-12-17 10:30:46 0 dr------- C:\Documents and Settings\Daddy\My Documents 2007-12-17 10:30:46 0 d--h----- C:\Documents and Settings\Daddy\Local Settings 2007-12-17 10:30:46 0 dr------- C:\Documents and Settings\Daddy\Favorites 2007-12-17 10:30:46 0 d-------- C:\Documents and Settings\Daddy\Desktop 2007-12-17 10:30:46 0 d--hs---- C:\Documents and Settings\Daddy\Cookies 2007-12-17 10:27:06 0 d-------- C:\Program Files\TurboTax 2007-12-17 10:26:31 0 d-------- C:\Program Files\iTunes 2007-12-17 10:26:17 0 d-------- C:\Program Files\ItsDeductible2006 -- Find3M Report --------------------------------------------------------------- 2008-01-14 18:45:17 0 d-------- C:\Program Files\Common Files 2007-12-15 14:32:52 0 d-------- C:\Program Files\Ahead 2007-12-15 14:31:00 0 d-------- C:\Program Files\Common Files\Ahead 2007-12-15 14:28:54 0 d-------- C:\Program Files\CyberLink 2007-12-15 14:28:51 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-12-15 14:18:30 0 d-------- C:\Program Files\Microsoft ActiveSync 2007-12-15 13:57:11 0 d-------- C:\Program Files\Messenger 2007-12-15 13:30:16 0 d-------- C:\Program Files\Broadcom 2007-12-15 13:30:02 0 d-------- C:\Program Files\Common Files\InstallShield 2007-12-15 13:24:40 0 d-------- C:\Program Files\Analog Devices 2007-12-15 13:23:02 0 d-------- C:\Program Files\Intel 2007-12-15 12:58:44 0 d-------- C:\Program Files\microsoft frontpage 2007-12-15 12:58:25 0 -rahs---- C:\MSDOS.SYS 2007-12-15 12:58:25 0 -rahs---- C:\IO.SYS 2007-12-15 12:58:25 0 --a------ C:\CONFIG.SYS 2007-12-15 12:58:25 0 --a------ C:\AUTOEXEC.BAT 2007-12-15 12:57:18 0 d--h----- C:\Program Files\WindowsUpdate 2007-12-15 12:56:26 0 d-------- C:\Program Files\Common Files\MSSoap 2007-12-15 12:56:16 0 d-------- C:\Program Files\Movie Maker 2007-12-15 12:55:43 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat 2007-12-15 12:55:07 0 d-------- C:\Program Files\Online Services 2007-12-15 12:54:59 0 d-------- C:\Program Files\MSN Gaming Zone 2007-12-15 12:54:50 0 d-------- C:\Program Files\Windows NT 2007-12-15 07:49:10 0 d-------- C:\Program Files\Common Files\ODBC 2007-12-15 07:49:07 0 d-------- C:\Program Files\Common Files\SpeechEngines 2007-12-15 07:48:43 62 --ahs---- C:\Documents and Settings\Daddy\Application Data\desktop.ini -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5085333B-FD15-4754-A571-852F7077C5F2}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}] 08/24/2007 10:51 PM 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}] 12/17/2007 08:01 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [08/24/2007 10:51 PM 316784] [-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}] [HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1] [HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [02/10/2004 11:55 AM] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [02/10/2004 11:51 AM] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM] "HPHUPD08"="C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [07/11/2006 03:27 PM] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [08/18/2005 10:00 PM] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [08/25/2007 12:07 AM] "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [08/24/2007 11:53 PM] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 04:25 AM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [04/13/2005 03:48 AM] "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [11/19/2007 02:40 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 07:00 AM] "Aim6"="C:\Program Files\AIM6\aim6.exe" [10/04/2007 10:20 AM] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/2007 04:46 PM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [8/18/2005 10:20:30 PM] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) *Newly Created Service* - COMHOST -- End of Deckard's System Scanner: finished at 2008-01-17 20:37:59 ------------ Thanx, Pete |
|
|
|
|
01-17-2008, 05:48 PM
|
#8 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,563
OS: 2000 Pro; XP Pro; XP Home
|
Re: Malware Help Please!
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Download SDFix and save it to your Desktop. S& D Spybot's Tea Timer While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent our tools from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
Download ResetTeaTimer.bat by right-clicking on the link, and choosing Save As. Save it to your desktop, or somewhere you can find it easily. Double click ResetTeaTimer.bat to remove all entries set by TeaTimer. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Please then reboot your computer in Safe Mode by doing the following :
--------------------------------------------------------------------------------------------- Please download HijackThis to your desktop Alternate link Double-click on the file you just downloaded. Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis Upon install, HijackThis should open for you. Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless. ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Please do not ask for help via Private Message. Last edited by tetonbob; 01-17-2008 at 05:50 PM. |
|
|
|
|
01-17-2008, 06:38 PM
|
#9 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 19
OS: Windows XP (SP2)
|
Re: Malware Help Please!
Contents of report.txt:
SDFix: Version 1.127 Run by Daddy on Thu 01/17/2008 at 09:23 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: Trojan Files Found: C:\WINDOWS\dat.txt - Deleted C:\WINDOWS\foxflpd.exe - Deleted C:\WINDOWS\rs.txt - Deleted C:\WINDOWS\search_res.txt - Deleted Removing Temp Files... ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-17 21:29:32 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" Remaining Files: --------------- File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: Wed 8 Aug 2007 85,946 A..H. --- "C:\Documents and Settings\Mommy\Local Settings\Temp\BIT42.tmp" Wed 8 Aug 2007 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg" Wed 8 Aug 2007 403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg" Finished! Contents of HiJackThis.log: Logfile of HijackThis v1.99.1 Scan saved at 9:35:49 PM, on 1/17/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1197743959218 O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5...ndows-i586.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" -r (file missing) O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe Thanx, Pete |
|
|
|
|
01-17-2008, 07:02 PM
|
#10 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,563
OS: 2000 Pro; XP Pro; XP Home
|
Re: Malware Help Please!
Hi Pete -
Please log on to Alyssa account, and post a HijackThis log from that account.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Please do not ask for help via Private Message. |
|
|
|
|
01-17-2008, 07:14 PM
|
#11 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 19
OS: Windows XP (SP2)
|
Re: Malware Help Please!
Contents of HiJackThis.log (under Alyssa's Account):
Logfile of HijackThis v1.99.1 Scan saved at 10:11:27 PM, on 1/17/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1197743959218 O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5...ndows-i586.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" -r (file missing) O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe Thanx, Pete |
|
|
|
|
01-17-2008, 07:29 PM
|
#12 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,563
OS: 2000 Pro; XP Pro; XP Home
|
Re: Malware Help Please!
Looks good, Pete.
Post a HijackThis log from Lindsay account
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Please do not ask for help via Private Message. |
|
|
|
|
01-17-2008, 07:34 PM
|
#13 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 19
OS: Windows XP (SP2)
|
Re: Malware Help Please!
HiJackThis.log from Lindsay's Account:
Logfile of HijackThis v1.99.1 Scan saved at 10:32:22 PM, on 1/17/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1197743959218 O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5...ndows-i586.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" -r (file missing) O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe Thanx, Pete |
|
|
|
|
01-17-2008, 07:42 PM
|
#14 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,563
OS: 2000 Pro; XP Pro; XP Home
|
Re: Malware Help Please!
Looks good, Pete.
Post a HijackThis log from Mommy account. Then we'll get back to work.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Please do not ask for help via Private Message. |
|
|
|
|
01-17-2008, 07:44 PM
|
#15 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,563
OS: 2000 Pro; XP Pro; XP Home
|
Re: Malware Help Please!
Also, are you still getting this, and if so, in which account?
Quote:
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Please do not ask for help via Private Message. |
|
|
|
|
|
01-17-2008, 07:59 PM
|
#16 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 19
OS: Windows XP (SP2)
|
Re: Malware Help Please!
HiJackThis.log from Mommy Account:
Logfile of HijackThis v1.99.1 Scan saved at 10:53:51 PM, on 1/17/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1197743959218 O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5...ndows-i586.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" -r (file missing) O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe And yes, I'm still receiving "Cannot find 'file:///C:/WINDOWS/privacy_danger/index.htm' " diagnostic. This was only occuring in the Mommy Account. Also, the background in this desktop (Mommy) is completely white and I cannot right click in the desktop in order to get the "Display Properties". Thanx, Pete |
|
|
|
|
01-17-2008, 08:11 PM
|
#17 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,563
OS: 2000 Pro; XP Pro; XP Home
|
Re: Malware Help Please!
What account did you run SmitfraudFix on?
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Please do not ask for help via Private Message. |
|
|
|
|
01-17-2008, 08:16 PM
|
#18 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 19
OS: Windows XP (SP2)
|
Re: Malware Help Please!
I'm not sure but probably "Daddy" which is my account. I didn't realize that it needed to be executed on each of the individual accounts; I thought that it scanned the entire computer.
|
|
|
|
|
01-17-2008, 08:18 PM
|
#19 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,563
OS: 2000 Pro; XP Pro; XP Home
|
Re: Malware Help Please!
Well, in most aspects it does, but I think for the desktop fix portion of the fix, there are HKCU entries.
Boot into safe mode, choose Mommy account, run SmitfraudFix again. Restart in normal mode. post the log, c:\rapport.txt ======================================== Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:
--------------------------------------------------------------------------------------------- Double-click on SmitfraudFix.exe to start the tool. Select option #3 - Delete Trusted zone by typing 3 and press Enter Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter. Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Please do not ask for help via Private Message. |
|
|
|
|
01-18-2008, 02:26 PM
|
#20 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 19
OS: Windows XP (SP2)
|
Re: Malware Help Please!
Sorry for the delay.
Contents of rapport.txt: SmitFraudFix v2.274 Scan done at 17:15:02.56, Fri 01/18/2008 Run from C:\Downloads\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix S!Ri's WS2Fix: LSP not Found. »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\DOCUME~1\Mommy\Desktop\Error Cleaner.url Deleted C:\DOCUME~1\Mommy\Desktop\Privacy Protector.url Deleted C:\DOCUME~1\Mommy\Desktop\Spyware?Malware Protection.url Deleted C:\DOCUME~1\Mommy\FAVORI~1\Error Cleaner.url Deleted C:\DOCUME~1\Mommy\FAVORI~1\Privacy Protector.url Deleted C:\DOCUME~1\Mommy\FAVORI~1\Spyware?Malware Protection.url Deleted »»»»»»»»»»»»»»»»»»»»»»»» IEDFix IEDFix.exe by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CCS\Services\Tcpip\..\{72CBA239-63B4-49B5-B44C-3075B359FB1B}: DhcpNameServer=167.206.254.1 167.206.254.2 HKLM\SYSTEM\CS1\Services\Tcpip\..\{72CBA239-63B4-49B5-B44C-3075B359FB1B}: DhcpNameServer=167.206.254.1 167.206.254.2 HKLM\SYSTEM\CS2\Services\Tcpip\..\{72CBA239-63B4-49B5-B44C-3075B359FB1B}: DhcpNameServer=167.206.254.1 167.206.254.2 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=167.206.254.1 167.206.254.2 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=167.206.254.1 167.206.254.2 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=167.206.254.1 167.206.254.2 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End Thanx, Pete |
|
|
|
| Thread Tools | |
|
|
