Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved]Help! My Computer Is Being Overtaken By Aliens!


  • This topic is locked This topic is locked
12 replies to this topic

#1 problemchild

problemchild

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 13 July 2007 - 08:00 PM

Hi there!

Where would we be without u guys?!?! Seriously!!! My laptop had been playing up for a while... so I took all old files off and reinstalled Win XP. I also then added Norton (after using various free Visrus/Trojan removal programs) and found that my laptop was riddled with viruses and trojans! Most of them have been cleared up but there are still a few weird things happening like random popups for casinos and ebay and spyware removal tools etc

My explorer is taking up almost 100% CPU usage and it seems like it's on the verge of having a breakdown. Here's my Hijack This log. Please advise!!!

Logfile of HijackThis v1.99.1
Scan saved at 11:52:15 AM, on 7/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\OPScan.exe
C:\DOCUME~1\ALLUSE~1\DOCUME~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Joanne\My Documents\My Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000137.exe 61A847B5BBF72813329B385771FE01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3
2907D4E66914B5C1E9E689DB6FC45715ED96D1223AD51A6C383221233983F4827B144
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\iryteeok.dll",forkonce
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{37C62339-655F-4570-A7BC-1A5B193A7DFE}: NameServer = 203.134.12.90 203.134.102.90
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

    Advertisements

Register to Remove


#2 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 13 July 2007 - 08:21 PM

Hello problemchild and welcome to the TomCoyote Forums

My name is Trevuren and I will be helping you with your problem.


1. I need to get you to move HijackThis to a folder of its own so that nothing gets deleted by mistake

1. Right click in an empty space on your desktop.

2. From the Menu, click New, then Folder and a folder will appear on your desktop.

3. Name the folder HJT

4. Copy/Paste your current version of HijackThis.exe from C:\Documents and Settings\Joanne\My Documents\My Downloads\HijackThis.exe into the new Folder that was just created.



2. Some trojans have a way of masking their presence from the HijackThis program when they recognize the name. I think that this is the case here because there are no 02 or 020 entries visible in your log.

Please locate the following file on your desktop: HijackThis.exe
Next, right click on the file and from the popup menu that appears, choose the RENAME option and rename the file Killer.exe.

From now on, when I ask you to start HijackThis, just click on the Killer.exe file.


3. A. Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.



B. Download ComboFix from Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall


C. Reports/Logs to post:
  • VundoFix.txt
  • ComboFix.txt
  • HijackThis log

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#3 problemchild

problemchild

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 13 July 2007 - 10:43 PM

ok here goes...

1. Vundo log
2. Combo log
3. HJT log

----------------------------------------------------------------------------------------------------

VundoFix V6.5.4

Checking Java version...

Scan started at 2:01:06 PM 7/14/2007

Listing files found while scanning....

C:\WINDOWS\system32\gbelxfcs.dll
C:\windows\system32\hjkmp.bak1
C:\windows\system32\hjkmp.bak2
C:\windows\system32\hjkmp.ini
C:\WINDOWS\system32\iryteeok.dll
C:\windows\system32\koeetyri.ini
C:\WINDOWS\system32\mljhiff.dll
C:\WINDOWS\system32\pmkjh.dll

Beginning removal...

Attempting to delete C:\windows\system32\hjkmp.bak1
C:\windows\system32\hjkmp.bak1 Has been deleted!

Attempting to delete C:\windows\system32\hjkmp.bak2
C:\windows\system32\hjkmp.bak2 Has been deleted!

Attempting to delete C:\windows\system32\hjkmp.ini
C:\windows\system32\hjkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\iryteeok.dll
C:\WINDOWS\system32\iryteeok.dll Has been deleted!

Attempting to delete C:\windows\system32\koeetyri.ini
C:\windows\system32\koeetyri.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljhiff.dll
C:\WINDOWS\system32\mljhiff.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\pmkjh.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.4

Checking Java version...

Scan started at 2:07:16 PM 7/14/2007

Listing files found while scanning....

No infected files were found.

-------------------------------------------------------------------------------------------------------------
"Joanne" - 2007-07-14 14:31:04 - ComboFix 07-07-14.3 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dtmwshkm.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Joanne\Desktop\internet.lnk
C:\Program Files\Common Files\dobe~1
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\inetget2
C:\Program Files\winpop
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\ovdgmfmo.exe
C:\WINDOWS\system32\x.exe
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-06-14 to 2007-07-14 )))))))))))))))))))))))))))))))


2007-07-14 14:30 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-14 14:01 <DIR> d-------- C:\VundoFix Backups
2007-07-13 23:43 <DIR> d-------- C:\Program Files\Synonyms and Antonyms
2007-07-10 19:16 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-07-10 19:16 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-07-10 00:41 <DIR> d-------- C:\Program Files\SymNetDrv
2007-07-10 00:38 79 --a------ C:\WINDOWS\delay.reg
2007-07-09 19:39 167 --a------ C:\DOCUME~1\Joanne\6284.bat
2007-07-09 19:11 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-07-09 19:10 <DIR> d-------- C:\DOCUME~1\Joanne\APPLIC~1\Symantec
2007-07-09 19:09 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-07-09 19:09 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-07-09 19:08 <DIR> d-------- C:\Program Files\Symantec
2007-07-09 19:07 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-09 19:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-07-09 18:39 167 --a------ C:\DOCUME~1\Joanne\8103.bat
2007-07-08 19:59 167 --a------ C:\DOCUME~1\Joanne\6996.bat
2007-07-08 15:58 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-07-08 14:19 167 --a------ C:\DOCUME~1\Joanne\3333.bat
2007-07-07 12:25 167 --a------ C:\DOCUME~1\Joanne\2347.bat
2007-07-06 19:25 167 --a------ C:\DOCUME~1\Joanne\4725.bat
2007-07-06 12:33 167 --a------ C:\DOCUME~1\Joanne\8940.bat
2007-07-06 00:01 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-07-06 00:01 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-07-05 23:05 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-07-05 22:57 <DIR> d---s---- C:\DOCUME~1\Joanne\UserData
2007-07-05 22:49 167 --a------ C:\DOCUME~1\Joanne\4632.bat
2007-07-05 12:49 167 --a------ C:\DOCUME~1\Joanne\4944.bat
2007-07-05 12:36 167 --a------ C:\DOCUME~1\Joanne\5079.bat
2007-07-05 12:35 10,838 --a------ C:\DOCUME~1\Joanne\install.exe
2007-07-04 22:49 167 --a------ C:\DOCUME~1\Joanne\2809.bat
2007-07-04 22:47 86,016 --a------ C:\WINDOWS\unvise32qt.exe
2007-07-04 22:46 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-07-04 22:46 <DIR> d-------- C:\Program Files\QuickTime
2007-07-04 22:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\QuickTime
2007-07-04 22:45 <DIR> d-------- C:\Program Files\eMedia Starter Guitar Lessons
2007-07-04 21:59 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-07-04 21:59 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-07-04 21:59 <DIR> d-------- C:\Program Files\Picasa2
2007-07-04 21:59 <DIR> d-------- C:\Program Files\Google
2007-07-04 21:58 <DIR> d-------- C:\Program Files\Photo To Sketch
2007-07-04 21:58 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-07-04 21:58 <DIR> d-------- C:\DOCUME~1\Joanne\APPLIC~1\NCH Swift Sound
2007-07-04 21:54 32,768 --a------ C:\DOCUME~1\Joanne\setup9x.exe
2007-07-04 21:54 167 --a------ C:\DOCUME~1\Joanne\1934.bat
2007-07-04 20:55 141 --a------ C:\DOCUME~1\Ketura\3090.bat
2007-07-04 20:53 66,048 --a------ C:\DOCUME~1\Ketura\x.exe
2007-07-04 17:52 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2007-07-04 17:45 <DIR> d-------- C:\DOCUME~1\Joanne\APPLIC~1\Help
2007-07-04 17:14 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-07-04 16:47 <DIR> d-------- C:\DOCUME~1\Joanne\APPLIC~1\WinRAR
2007-07-04 16:35 <DIR> d-------- C:\bintheredunthat
2007-07-04 16:33 <DIR> d--hs---- C:\DOCUME~1\Joanne\Complete
2007-07-04 15:32 <DIR> d-------- C:\WINDOWS\pss
2007-07-04 10:43 <DIR> d-------- C:\DOCUME~1\Ketura\Incomplete
2007-07-04 10:42 <DIR> d-------- C:\DOCUME~1\Ketura\APPLIC~1\LimeWire
2007-07-04 02:54 0 --a------ C:\WINDOWS\system32\taskkill.exe
2007-07-04 02:39 <DIR> d-------- C:\DOCUME~1\Joanne\Shared
2007-07-04 02:39 <DIR> d-------- C:\DOCUME~1\Joanne\Incomplete
2007-07-04 02:37 <DIR> d-------- C:\Program Files\LimeWire
2007-07-04 02:25 <DIR> d-------- C:\DOCUME~1\Joanne\.limewire
2007-07-03 22:37 <DIR> d-------- C:\etax2007
2007-07-03 19:40 <DIR> d-------- C:\DOCUME~1\Ketura\APPLIC~1\Talkback
2007-07-03 02:20 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-07-03 02:20 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-07-03 02:20 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2007-07-03 02:20 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2007-07-03 02:20 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-07-03 02:20 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-07-03 02:20 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2007-07-03 02:20 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2007-07-03 02:20 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2007-07-03 02:19 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-07-03 02:19 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2007-07-03 02:19 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2007-07-03 02:19 27,164 --a------ C:\WINDOWS\system32\drivers\CE3N5.SYS
2007-07-03 02:18 870,784 --a------ C:\WINDOWS\system32\ati3d1ag.dll
2007-07-03 02:18 701,440 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-07-03 02:18 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-07-03 02:18 516,768 --a------ C:\WINDOWS\system32\ativvaxx.dll
2007-07-03 02:18 229,376 --a------ C:\WINDOWS\system32\ati2cqag.dll
2007-07-03 02:18 201,728 --a------ C:\WINDOWS\system32\ati2dvag.dll
2007-07-03 02:18 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2007-07-03 02:17 96,256 --a------ C:\WINDOWS\system32\drivers\ac97intc.sys
2007-07-03 02:17 9,344 --a------ C:\WINDOWS\system32\drivers\compbatt.sys
2007-07-03 02:17 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2007-07-03 02:17 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-07-03 02:17 42,368 --a------ C:\WINDOWS\system32\drivers\AGP440.SYS
2007-07-03 02:17 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-07-03 02:17 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2007-07-03 02:17 14,080 --a------ C:\WINDOWS\system32\drivers\CmBatt.sys
2007-07-03 02:17 14,080 --a------ C:\WINDOWS\system32\drivers\battc.sys
2007-07-03 02:15 9,936 --a------ C:\WINDOWS\system\LZEXPAND.DLL
2007-07-03 02:15 9,008 --a------ C:\WINDOWS\system\VER.DLL
2007-07-03 02:15 85,020 --a------ C:\WINDOWS\system32\dgsetup.dll
2007-07-03 02:15 82,944 --a------ C:\WINDOWS\system\OLECLI.DLL
2007-07-03 02:15 8,704 --a------ C:\WINDOWS\system32\batt.dll
2007-07-03 02:15 8,192 -ra------ C:\WINDOWS\system32\kbdhept.dll
2007-07-03 02:15 74,752 --a------ C:\WINDOWS\system32\storprop.dll
2007-07-03 02:15 7,168 -ra------ C:\WINDOWS\system32\kbdcz.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 12:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 12:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2001-04-16 16:39 37808 --------- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98B8C412-6201-4B33-8628-363E9814F67B}]
C:\WINDOWS\system32\pmkjh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}]
2004-08-31 10:29 103568 --a------ C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
2005-01-10 12:20 218736 --a------ C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerBar"="" []
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 22:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 18:16]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com]
rundll32.exe "C:\WINDOWS\system32\pvatpgux.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
"C:\Program Files\lg_fwupdate\fwupdate.exe" blrun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
pctspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Taul]
"C:\PROGRA~1\COMMON~1\DOBE~1\chkntfs.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"InCDsrv"=2 (0x2)
"WZCSVC"=2 (0x2)
"Themes"=2 (0x2)
"Netlogon"=3 (0x3)
"ISSVC"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"helpsvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"COMSysApp"=3 (0x3)
"CiSvc"=3 (0x3)
"AudioSrv"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"ose"=3 (0x3)


Contents of the 'Scheduled Tasks' folder
2007-07-13 10:05:46 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Joanne.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-14 14:35:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ?W?????????????????????????????????????????????????????????????|p??|????m??|?`?w????????PW????@?8?@?????PW??c"?s???s??????@?????N'?s?W2?L|?s????????????u??s????????c"?s???s??????@?8?@?N'?s${2??$@?8?@?8?@?????????0{2?`C2????s???s W2??C2?`C2?0i?s?????????W2????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-14 14:37:30 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-14 14:37

--- E O F ---
------------------------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 2:38:15 PM, on 7/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\cmd.exe
C:\ComboFix\vfind.cfexe
C:\Documents and Settings\Joanne\Desktop\HJT\Killer.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {98B8C412-6201-4B33-8628-363E9814F67B} - C:\WINDOWS\system32\pmkjh.dll (file missing)
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

#4 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 13 July 2007 - 11:22 PM

A. IMPORTANT. Do you know anything about all the batch files in your ComboFix.txt?

Example:

2007-07-04 21:54 167 --a------ C:\DOCUME~1\Joanne\1934.bat
2007-07-04 20:55 141 --a------ C:\DOCUME~1\Ketura\3090.bat


There are many, many more.


B. 1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\unvise32qt.exe
C:\DOCUME~1\Joanne\setup9x.exe
C:\DOCUME~1\Ketura\x.exe

Folder::
C:\VundoFix Backups
C:\bintheredunthat

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98B8C412-6201-4B33-8628-363E9814F67B}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Taul]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#5 problemchild

problemchild

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 14 July 2007 - 04:51 AM

No sorry I have no idea what batch files are or what their purpose is. Here are the combo and hjt log files..

-----------------------------------------------------------------------------------------------------------
"Joanne" - 2007-07-14 18:04:46 - ComboFix 07-07-14.3 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Joanne\Desktop\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\bintheredunthat
C:\DOCUME~1\Joanne\setup9x.exe
C:\DOCUME~1\Ketura\x.exe
C:\VundoFix Backups
C:\VundoFix Backups\hjkmp.bak1.bad
C:\VundoFix Backups\hjkmp.bak2.bad
C:\VundoFix Backups\hjkmp.ini.bad
C:\VundoFix Backups\iryteeok.dll.bad
C:\VundoFix Backups\koeetyri.ini.bad
C:\VundoFix Backups\mljhiff.dll.bad
C:\VundoFix Backups\pmkjh.dll.bad
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\unvise32qt.exe


((((((((((((((((((((((((( Files Created from 2007-06-14 to 2007-07-14 )))))))))))))))))))))))))))))))


2007-07-14 18:03 0 --a------ C:\DOCUME~1\Joanne\.exe
2007-07-14 14:30 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-13 23:43 <DIR> d-------- C:\Program Files\Synonyms and Antonyms
2007-07-10 19:16 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-07-10 19:16 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-07-10 00:41 <DIR> d-------- C:\Program Files\SymNetDrv
2007-07-10 00:38 79 --a------ C:\WINDOWS\delay.reg
2007-07-09 19:39 167 --a------ C:\DOCUME~1\Joanne\6284.bat
2007-07-09 19:11 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-07-09 19:10 <DIR> d-------- C:\DOCUME~1\Joanne\APPLIC~1\Symantec
2007-07-09 19:09 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-07-09 19:09 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-07-09 19:08 <DIR> d-------- C:\Program Files\Symantec
2007-07-09 19:07 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-09 19:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-07-09 18:39 167 --a------ C:\DOCUME~1\Joanne\8103.bat
2007-07-08 19:59 167 --a------ C:\DOCUME~1\Joanne\6996.bat
2007-07-08 15:58 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-07-08 14:19 167 --a------ C:\DOCUME~1\Joanne\3333.bat
2007-07-07 12:25 167 --a------ C:\DOCUME~1\Joanne\2347.bat
2007-07-06 19:25 167 --a------ C:\DOCUME~1\Joanne\4725.bat
2007-07-06 12:33 167 --a------ C:\DOCUME~1\Joanne\8940.bat
2007-07-06 00:01 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-07-06 00:01 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-07-05 23:05 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-07-05 22:57 <DIR> d---s---- C:\DOCUME~1\Joanne\UserData
2007-07-05 22:49 167 --a------ C:\DOCUME~1\Joanne\4632.bat
2007-07-05 12:49 167 --a------ C:\DOCUME~1\Joanne\4944.bat
2007-07-05 12:36 167 --a------ C:\DOCUME~1\Joanne\5079.bat
2007-07-05 12:35 10,838 --a------ C:\DOCUME~1\Joanne\install.exe
2007-07-04 22:49 167 --a------ C:\DOCUME~1\Joanne\2809.bat
2007-07-04 22:46 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-07-04 22:46 <DIR> d-------- C:\Program Files\QuickTime
2007-07-04 22:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\QuickTime
2007-07-04 22:45 <DIR> d-------- C:\Program Files\eMedia Starter Guitar Lessons
2007-07-04 21:59 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-07-04 21:59 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-07-04 21:59 <DIR> d-------- C:\Program Files\Picasa2
2007-07-04 21:59 <DIR> d-------- C:\Program Files\Google
2007-07-04 21:58 <DIR> d-------- C:\Program Files\Photo To Sketch
2007-07-04 21:58 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-07-04 21:58 <DIR> d-------- C:\DOCUME~1\Joanne\APPLIC~1\NCH Swift Sound
2007-07-04 21:54 167 --a------ C:\DOCUME~1\Joanne\1934.bat
2007-07-04 20:55 141 --a------ C:\DOCUME~1\Ketura\3090.bat
2007-07-04 17:52 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2007-07-04 17:45 <DIR> d-------- C:\DOCUME~1\Joanne\APPLIC~1\Help
2007-07-04 17:14 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-07-04 16:47 <DIR> d-------- C:\DOCUME~1\Joanne\APPLIC~1\WinRAR
2007-07-04 16:33 <DIR> d--hs---- C:\DOCUME~1\Joanne\Complete
2007-07-04 15:32 <DIR> d-------- C:\WINDOWS\pss
2007-07-04 10:43 <DIR> d-------- C:\DOCUME~1\Ketura\Incomplete
2007-07-04 10:42 <DIR> d-------- C:\DOCUME~1\Ketura\APPLIC~1\LimeWire
2007-07-04 02:54 0 --a------ C:\WINDOWS\system32\taskkill.exe
2007-07-04 02:39 <DIR> d-------- C:\DOCUME~1\Joanne\Shared
2007-07-04 02:39 <DIR> d-------- C:\DOCUME~1\Joanne\Incomplete
2007-07-04 02:37 <DIR> d-------- C:\Program Files\LimeWire
2007-07-04 02:25 <DIR> d-------- C:\DOCUME~1\Joanne\.limewire
2007-07-03 22:37 <DIR> d-------- C:\etax2007
2007-07-03 19:40 <DIR> d-------- C:\DOCUME~1\Ketura\APPLIC~1\Talkback
2007-07-03 02:20 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-07-03 02:20 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-07-03 02:20 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2007-07-03 02:20 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2007-07-03 02:20 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-07-03 02:20 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-07-03 02:20 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2007-07-03 02:20 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2007-07-03 02:20 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2007-07-03 02:19 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-07-03 02:19 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2007-07-03 02:19 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2007-07-03 02:19 27,164 --a------ C:\WINDOWS\system32\drivers\CE3N5.SYS
2007-07-03 02:18 870,784 --a------ C:\WINDOWS\system32\ati3d1ag.dll
2007-07-03 02:18 701,440 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-07-03 02:18 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-07-03 02:18 516,768 --a------ C:\WINDOWS\system32\ativvaxx.dll
2007-07-03 02:18 229,376 --a------ C:\WINDOWS\system32\ati2cqag.dll
2007-07-03 02:18 201,728 --a------ C:\WINDOWS\system32\ati2dvag.dll
2007-07-03 02:18 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2007-07-03 02:17 96,256 --a------ C:\WINDOWS\system32\drivers\ac97intc.sys
2007-07-03 02:17 9,344 --a------ C:\WINDOWS\system32\drivers\compbatt.sys
2007-07-03 02:17 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2007-07-03 02:17 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-07-03 02:17 42,368 --a------ C:\WINDOWS\system32\drivers\AGP440.SYS
2007-07-03 02:17 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-07-03 02:17 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2007-07-03 02:17 14,080 --a------ C:\WINDOWS\system32\drivers\CmBatt.sys
2007-07-03 02:17 14,080 --a------ C:\WINDOWS\system32\drivers\battc.sys
2007-07-03 02:15 9,936 --a------ C:\WINDOWS\system\LZEXPAND.DLL
2007-07-03 02:15 9,008 --a------ C:\WINDOWS\system\VER.DLL
2007-07-03 02:15 85,020 --a------ C:\WINDOWS\system32\dgsetup.dll
2007-07-03 02:15 82,944 --a------ C:\WINDOWS\system\OLECLI.DLL
2007-07-03 02:15 8,704 --a------ C:\WINDOWS\system32\batt.dll
2007-07-03 02:15 8,192 -ra------ C:\WINDOWS\system32\kbdhept.dll
2007-07-03 02:15 74,752 --a------ C:\WINDOWS\system32\storprop.dll
2007-07-03 02:15 7,168 -ra------ C:\WINDOWS\system32\kbdcz.dll
2007-07-03 02:15 69,584 --a------ C:\WINDOWS\system\AVICAP.DLL
2007-07-03 02:15 69,120 --a------ C:\WINDOWS\NOTEPAD.EXE
2007-07-03 02:15 68,768 --a------ C:\WINDOWS\system\MMSYSTEM.DLL
2007-07-03 02:15 6,656 -ra------ C:\WINDOWS\system32\kbdycl.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 12:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 12:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2001-04-16 16:39 37808 --------- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}]
2004-08-31 10:29 103568 --a------ C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
2005-01-10 12:20 218736 --a------ C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerBar"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 18:16]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
pctspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"InCDsrv"=2 (0x2)
"WZCSVC"=2 (0x2)
"Themes"=2 (0x2)
"Netlogon"=3 (0x3)
"ISSVC"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"helpsvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"COMSysApp"=3 (0x3)
"CiSvc"=3 (0x3)
"AudioSrv"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"ose"=3 (0x3)


Contents of the 'Scheduled Tasks' folder
2007-07-13 10:05:46 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Joanne.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-14 18:07:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ?W?????????????????????????????????????????????????????????????|p??|????m??|?`?w????????PW????@?8?@?????PW??c"?s???s??????@?????N'?s?W2?L|?s????????????u??s????????c"?s???s??????@?8?@?N'?s${2??$@?8?@?8?@?????????0{2?`C2????s???s W2??C2?`C2?0i?s?????????W2????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-14 18:07:58
C:\ComboFix-quarantined-files.txt ... 2007-07-14 18:07
C:\ComboFix2.txt ... 2007-07-14 14:37

--- E O F ---
----------------------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 6:12:42 PM, on 7/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Joanne\Desktop\HJT\Killer.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{37C62339-655F-4570-A7BC-1A5B193A7DFE}: NameServer = 203.134.12.90 203.134.102.90
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

#6 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 14 July 2007 - 05:14 PM

Things are looking good.

Please, let us try and solve the mystery of the oh so numerous batch files.

1. Using Windows Explorer (Right click on Start and chose Explore), please locate the following file:

C:\DOCUMENTS and SETTINGS\Joanne\6284.bat


2. Now RIGHT click on the file and choose Rename. Change the name to 6284.txt

3.Once renamed, chose to Save the file. A warning popup will advise you that you should be careful. Ignore the message in this case.

4. Now Click on the text file and a Notepad window will open. Please copy the entire content of the Notepad file and paste it in your reply.

5. Once you have posted your reply, go back and rename the file to 6284.bat
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#7 problemchild

problemchild

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 15 July 2007 - 12:23 AM

Yep the computer seems alot healthier since using vundo and combo fix. Thankyou so much for that! I just tried renaming the batch file.. was able to rename it but unable to save/open it as a text file. What next? Update.... just thought Id try it again before I post this... and it disappeared! I know I didn't rename it to anything else. Have just done a search of my computer and it's gone!

#8 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 15 July 2007 - 11:19 AM

Please go to: VirusTotal
  • On the page you'll find a "Browse" button.
  • Next to the browse button you'll see a box to enter text.
  • Please copy/paste the following in BOLD:

    C:\DOCUMENTS and SETTINGS\Joanne\4944.bat

  • Then click the "Send File " button just below.
  • This will scan the file. Please be patient.
  • Once scanned, copy and paste the results in your next reply.

Edited by Trevuren, 15 July 2007 - 11:20 AM.

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#9 problemchild

problemchild

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 15 July 2007 - 07:59 PM

File 4944.bat received on 07.16.2007 03:47:33 (CET) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Loading server information... Your file is queued in position: 3. Estimated start time is between 52 and 75 seconds. Do not close the window untill scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Print results Your file has expired or do not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result AhnLab-V3 2007.7.14.0 2007.07.14 no virus found AntiVir 7.4.0.42 2007.07.15 no virus found Authentium 4.93.8 2007.07.13 no virus found Avast 4.7.997.0 2007.07.16 no virus found AVG 7.5.0.476 2007.07.15 no virus found BitDefender 7.2 2007.07.16 no virus found CAT-QuickHeal 9.00 2007.07.14 no virus found ClamAV devel-20070416 2007.07.15 no virus found DrWeb 4.33 2007.07.15 no virus found eSafe 7.0.15.0 2007.07.10 no virus found eTrust-Vet 30.8.3784 2007.07.14 no virus found Ewido 4.0 2007.07.14 no virus found FileAdvisor 1 2007.07.16 no virus found Fortinet 2.91.0.0 2007.07.14 no virus found F-Prot 4.3.2.48 2007.07.13 no virus found Ikarus T3.1.1.8 2007.07.15 no virus found Kaspersky 4.0.2.24 2007.07.16 no virus found McAfee 5074 2007.07.13 no virus found Microsoft 1.2704 2007.07.16 no virus found NOD32v2 2399 2007.07.14 no virus found Norman 5.80.02 2007.07.13 no virus found Panda 9.0.0.4 2007.07.15 no virus found Sophos 4.19.0 2007.07.06 no virus found Sunbelt 2.2.907.0 2007.07.14 no virus found Symantec 10 2007.07.16 no virus found TheHacker 6.1.6.146 2007.07.13 no virus found VBA32 3.12.0.2 2007.07.16 no virus found VirusBuster 4.3.23:9 2007.07.15 no virus found Webwasher-Gateway 6.0.1 2007.07.16 no virus found Aditional information File size: 167 bytes MD5: c938446dc374242f0bf2381875009f05 SHA1: c63a539326f930436ee13e17c47ca1514f5a8c71

#10 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 15 July 2007 - 09:22 PM

1. A. Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.

B. Reboot into Safe Mode


How to use the F8 method to Start Your Computer in Safe Mode*Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.
C. Double-click SUPERAntiSpyware.exe to start the tool again
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

2. After running SuperAntispyware, please run another ComboFix scan and post the log along with a fresh HJT log.

3. Reports/Logs to Post:
  • SuperAntispyware log
  • ComboFix.txt
  • Hjt log

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#11 problemchild

problemchild

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 16 July 2007 - 05:13 AM

SUPER Anti Spyware LOG

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/16/2007 at 08:02 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 01:18:27

Memory items scanned : 155
Memory threats detected : 0
Registry items scanned : 4592
Registry threats detected : 5
File items scanned : 33121
File threats detected : 73

Adware.Tracking Cookie
C:\Documents and Settings\Joanne\Cookies\joanne@cgi-bin[2].txt
C:\Documents and Settings\Joanne\Cookies\joanne@ad.zanox[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@mediaplex[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@videoegg.adbureau[2].txt
C:\Documents and Settings\Joanne\Cookies\joanne@mediaonenetwork[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@partypoker[2].txt
C:\Documents and Settings\Joanne\Cookies\joanne@casalemedia[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@4.adbrite[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@ads.monster[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@tradedoubler[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@ads.glispa[2].txt
C:\Documents and Settings\Joanne\Cookies\joanne@hitbox[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@a[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@ad.yieldmanager[2].txt
C:\Documents and Settings\Joanne\Cookies\joanne@media.sensis.com[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@msnportal.112.2o7[2].txt
C:\Documents and Settings\Joanne\Cookies\joanne@advertising[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@adbrite[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@server.iad.liveperson[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@drivecleaner[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@adopt.euroclick[2].txt
C:\Documents and Settings\Joanne\Cookies\joanne@bs.serving-sys[2].txt
C:\Documents and Settings\Joanne\Cookies\joanne@tracker.mediatracker.co[2].txt
C:\Documents and Settings\Joanne\Cookies\joanne@cassava[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@atdmt[2].txt
C:\Documents and Settings\Joanne\Cookies\joanne@sensismediasmart.com[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@acvs.mediaonenetwork[2].txt
C:\Documents and Settings\Joanne\Cookies\joanne@stats1.reliablestats[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@adinterax[2].txt
C:\Documents and Settings\Joanne\Cookies\joanne@doubleclick[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@2o7[2].txt
C:\Documents and Settings\Joanne\Cookies\joanne@www.winantiviruspro[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@statse.webtrendslive[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@statcounter[2].txt
C:\Documents and Settings\Joanne\Cookies\joanne@e-2dj6wjloejcpkkq.stats.esomniture[2].txt
C:\Documents and Settings\Joanne\Cookies\joanne@gemoney.112.2o7[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@winantivirus[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@e-2dj6wfl4ondjwap.stats.esomniture[2].txt
C:\Documents and Settings\Joanne\Cookies\joanne@partygaming.122.2o7[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@www.etracker.com[2].txt
C:\Documents and Settings\Joanne\Cookies\joanne@fastclick[2].txt
C:\Documents and Settings\Joanne\Cookies\joanne@e-2dj6waliwmdzeeq.stats.esomniture[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@hc2.humanclick[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@ehg-starcomworldwide.hitbox[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@www.winantispyware[2].txt
C:\Documents and Settings\Joanne\Cookies\joanne@888[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@56081914[2].txt
C:\Documents and Settings\Joanne\Cookies\joanne@overture[2].txt
C:\Documents and Settings\Joanne\Cookies\joanne@1069428106[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@www.ezytrack[2].txt
C:\Documents and Settings\Joanne\Cookies\joanne@20206613[2].txt
C:\Documents and Settings\Joanne\Cookies\joanne@www.amaena[2].txt
C:\Documents and Settings\Joanne\Cookies\joanne@winantispyware[3].txt
C:\Documents and Settings\Joanne\Cookies\joanne@cpvfeed[2].txt
C:\Documents and Settings\Joanne\Cookies\joanne@serving-sys[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@pamedia.com[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@virginmoneyaustralia.122.2o7[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@realmedia[1].txt
C:\Documents and Settings\Joanne\Cookies\joanne@clicksector[2].txt
C:\Documents and Settings\Joanne\Cookies\joanne@winantispyware[2].txt
C:\Documents and Settings\Ketura\Cookies\ketura@2o7[1].txt
C:\Documents and Settings\Ketura\Cookies\ketura@ad.yieldmanager[2].txt
C:\Documents and Settings\Ketura\Cookies\ketura@atdmt[2].txt
C:\Documents and Settings\Ketura\Cookies\ketura@doubleclick[1].txt
C:\Documents and Settings\Ketura\Cookies\ketura@drivecleaner[2].txt
C:\Documents and Settings\Ketura\Cookies\ketura@fastclick[1].txt
C:\Documents and Settings\Ketura\Cookies\ketura@media.fastclick[2].txt
C:\Documents and Settings\Ketura\Cookies\ketura@msnportal.112.2o7[1].txt
C:\Documents and Settings\Ketura\Cookies\ketura@msnprod.oberon-media[1].txt
C:\Documents and Settings\Ketura\Cookies\ketura@questionmarket[2].txt

Adware.ClickSpring/Yazzle
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1122Oin
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1122Oin#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1122Oin#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1122Oin#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1122Oin#Publisher
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1122OINUNINSTALLER.EXE.VIR

Unclassified.PC MightyMax
C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\JOANNES STUFF\JOANNE\SECURITY AND PROGRAMS\PCMIGHTYMAXSETUP.EXE
------------------------------------------------------------------------------------------------------------------
COMBO Fix LOG

"Joanne" - 2007-07-16 20:16:50 - ComboFix 07-07-14.3 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-16 to 2007-07-16 )))))))))))))))))))))))))))))))


2007-07-16 18:32 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-16 18:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-16 18:32 <DIR> d-------- C:\DOCUME~1\Joanne\APPLIC~1\SUPERAntiSpyware.com
2007-07-16 18:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-16 14:19 <DIR> d-------- C:\DOCUME~1\Ketura\APPLIC~1\NCH Swift Sound
2007-07-14 14:30 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-13 23:43 <DIR> d-------- C:\Program Files\Synonyms and Antonyms
2007-07-10 19:16 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-07-10 19:16 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-07-10 00:41 <DIR> d-------- C:\Program Files\SymNetDrv
2007-07-10 00:38 79 --a------ C:\WINDOWS\delay.reg
2007-07-09 19:11 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-07-09 19:10 <DIR> d-------- C:\DOCUME~1\Joanne\APPLIC~1\Symantec
2007-07-09 19:09 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-07-09 19:09 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-07-09 19:08 <DIR> d-------- C:\Program Files\Symantec
2007-07-09 19:07 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-09 19:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-07-09 18:39 167 --a------ C:\DOCUME~1\Joanne\8103.bat
2007-07-08 19:59 167 --a------ C:\DOCUME~1\Joanne\6996.bat
2007-07-08 15:58 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-07-08 14:19 167 --a------ C:\DOCUME~1\Joanne\3333.bat
2007-07-07 12:25 167 --a------ C:\DOCUME~1\Joanne\2347.bat
2007-07-06 19:25 167 --a------ C:\DOCUME~1\Joanne\4725.bat
2007-07-06 12:33 167 --a------ C:\DOCUME~1\Joanne\8940.bat
2007-07-06 00:01 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-07-06 00:01 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-07-05 23:05 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-07-05 22:57 <DIR> d---s---- C:\DOCUME~1\Joanne\UserData
2007-07-05 22:49 167 --a------ C:\DOCUME~1\Joanne\4632.bat
2007-07-05 12:49 167 --a------ C:\DOCUME~1\Joanne\4944.bat
2007-07-05 12:36 167 --a------ C:\DOCUME~1\Joanne\5079.bat
2007-07-04 22:49 167 --a------ C:\DOCUME~1\Joanne\2809.bat
2007-07-04 22:46 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-07-04 22:46 <DIR> d-------- C:\Program Files\QuickTime
2007-07-04 22:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\QuickTime
2007-07-04 22:45 <DIR> d-------- C:\Program Files\eMedia Starter Guitar Lessons
2007-07-04 21:59 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-07-04 21:59 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-07-04 21:59 <DIR> d-------- C:\Program Files\Picasa2
2007-07-04 21:59 <DIR> d-------- C:\Program Files\Google
2007-07-04 21:58 <DIR> d-------- C:\Program Files\Photo To Sketch
2007-07-04 21:58 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-07-04 21:58 <DIR> d-------- C:\DOCUME~1\Joanne\APPLIC~1\NCH Swift Sound
2007-07-04 21:54 167 --a------ C:\DOCUME~1\Joanne\1934.bat
2007-07-04 20:55 141 --a------ C:\DOCUME~1\Ketura\3090.bat
2007-07-04 17:52 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2007-07-04 17:45 <DIR> d-------- C:\DOCUME~1\Joanne\APPLIC~1\Help
2007-07-04 17:14 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-07-04 16:47 <DIR> d-------- C:\DOCUME~1\Joanne\APPLIC~1\WinRAR
2007-07-04 16:33 <DIR> d--hs---- C:\DOCUME~1\Joanne\Complete
2007-07-04 15:32 <DIR> d-------- C:\WINDOWS\pss
2007-07-04 10:43 <DIR> d-------- C:\DOCUME~1\Ketura\Incomplete
2007-07-04 10:42 <DIR> d-------- C:\DOCUME~1\Ketura\APPLIC~1\LimeWire
2007-07-04 02:54 0 --a------ C:\WINDOWS\system32\taskkill.exe
2007-07-04 02:39 <DIR> d-------- C:\DOCUME~1\Joanne\Shared
2007-07-04 02:39 <DIR> d-------- C:\DOCUME~1\Joanne\Incomplete
2007-07-04 02:37 <DIR> d-------- C:\Program Files\LimeWire
2007-07-04 02:25 <DIR> d-------- C:\DOCUME~1\Joanne\.limewire
2007-07-03 22:37 <DIR> d-------- C:\etax2007
2007-07-03 19:40 <DIR> d-------- C:\DOCUME~1\Ketura\APPLIC~1\Talkback
2007-07-03 02:20 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-07-03 02:20 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-07-03 02:20 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2007-07-03 02:20 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2007-07-03 02:20 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-07-03 02:20 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-07-03 02:20 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2007-07-03 02:20 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2007-07-03 02:20 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2007-07-03 02:19 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-07-03 02:19 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2007-07-03 02:19 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2007-07-03 02:19 27,164 --a------ C:\WINDOWS\system32\drivers\CE3N5.SYS
2007-07-03 02:18 870,784 --a------ C:\WINDOWS\system32\ati3d1ag.dll
2007-07-03 02:18 701,440 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-07-03 02:18 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-07-03 02:18 516,768 --a------ C:\WINDOWS\system32\ativvaxx.dll
2007-07-03 02:18 229,376 --a------ C:\WINDOWS\system32\ati2cqag.dll
2007-07-03 02:18 201,728 --a------ C:\WINDOWS\system32\ati2dvag.dll
2007-07-03 02:18 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2007-07-03 02:17 96,256 --a------ C:\WINDOWS\system32\drivers\ac97intc.sys
2007-07-03 02:17 9,344 --a------ C:\WINDOWS\system32\drivers\compbatt.sys
2007-07-03 02:17 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2007-07-03 02:17 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-07-03 02:17 42,368 --a------ C:\WINDOWS\system32\drivers\AGP440.SYS
2007-07-03 02:17 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-07-03 02:17 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2007-07-03 02:17 14,080 --a------ C:\WINDOWS\system32\drivers\CmBatt.sys
2007-07-03 02:17 14,080 --a------ C:\WINDOWS\system32\drivers\battc.sys
2007-07-03 02:15 9,936 --a------ C:\WINDOWS\system\LZEXPAND.DLL
2007-07-03 02:15 9,008 --a------ C:\WINDOWS\system\VER.DLL
2007-07-03 02:15 85,020 --a------ C:\WINDOWS\system32\dgsetup.dll
2007-07-03 02:15 82,944 --a------ C:\WINDOWS\system\OLECLI.DLL
2007-07-03 02:15 8,704 --a------ C:\WINDOWS\system32\batt.dll
2007-07-03 02:15 8,192 -ra------ C:\WINDOWS\system32\kbdhept.dll
2007-07-03 02:15 74,752 --a------ C:\WINDOWS\system32\storprop.dll
2007-07-03 02:15 7,168 -ra------ C:\WINDOWS\system32\kbdcz.dll
2007-07-03 02:15 69,584 --a------ C:\WINDOWS\system\AVICAP.DLL
2007-07-03 02:15 69,120 --a------ C:\WINDOWS\NOTEPAD.EXE


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 12:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 12:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2001-04-16 16:39 37808 --------- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}]
2004-08-31 10:29 103568 --a------ C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
2005-01-10 12:20 218736 --a------ C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerBar"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 18:16]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 22:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll --a------ 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
pctspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"InCDsrv"=2 (0x2)
"WZCSVC"=2 (0x2)
"Themes"=2 (0x2)
"Netlogon"=3 (0x3)
"ISSVC"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"helpsvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"COMSysApp"=3 (0x3)
"CiSvc"=3 (0x3)
"AudioSrv"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"ose"=3 (0x3)


Contents of the 'Scheduled Tasks' folder
2007-07-13 10:05:46 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Joanne.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-16 20:19:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ?W?????????????????????????????????????????????????????????????|p??|????m??|?`?w????????PW????@?8?@?????PW??c"?s???s??????@?????N'?s?W2?L|?s????????????u??s????????c"?s???s??????@?8?@?N'?s${2??$@?8?@?8?@?????????0{2?`C2????s???s W2??C2?`C2?0i?s?????????W2????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-16 20:20:37
C:\ComboFix-quarantined-files.txt ... 2007-07-16 20:20
C:\ComboFix2.txt ... 2007-07-14 18:07
C:\ComboFix3.txt ... 2007-07-14 14:37

--- E O F ---
------------------------------------------------------------------------------------------------------------------
HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 9:09:55 PM, on 7/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Documents and Settings\Joanne\My Documents\My Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{37C62339-655F-4570-A7BC-1A5B193A7DFE}: NameServer = 203.134.12.90 203.134.102.90
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

#12 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 16 July 2007 - 10:05 AM

A. Please DELETE the following file: C:\DOCUMENTS and SETTINGS\Joanne\.limewire


B. Your logs look clean. :thumbup: I think it would be wise to do an in-depth check of your entire system just to make sure that no malware is still lurking:

Please do an online scan with Kaspersky Online Virus Scanner (Use Internet Explorer as your Browser)

Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Next Click on Free Virus Scanner, then Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Standard
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information into your next post.
Please also tell me how things are now running.

Regards

Trevuren

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#13 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 24 July 2007 - 09:15 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users