Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91627 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Trojan and Malaware Cleancing Help Pls.


  • This topic is locked This topic is locked
36 replies to this topic

#16 andyspeake

andyspeake

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts
  • Interests:Fooball(soccer)

Posted 24 May 2008 - 03:53 PM

As you carried out a repair install, this overwrites the system files to get the computer back up and running. A repair install doesn't format the hard disk so there may be infected files on the computer therefore we need to proceed as follows.

Download and Run ComboFix

Please visit this webpage for instructions for downloading ComboFix at your DESKTOP :
http://www.bleepingc...to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.

Additional links to download the tool:
http://download.blee...Bs/ComboFix.exe
http://www.forospywa...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

    Advertisements

Register to Remove


#17 Tmicrochip

Tmicrochip

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 24 May 2008 - 04:08 PM

I think I still have a recovery console installed cause when I boot my PC now it give me the option to boot in windows or recovery console... so do I need to install another?

#18 andyspeake

andyspeake

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts
  • Interests:Fooball(soccer)

Posted 24 May 2008 - 04:10 PM

Nope, just run combofix then.

#19 Tmicrochip

Tmicrochip

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 24 May 2008 - 04:20 PM

Ok, I'm going to run it in a minute I'm reading the link you sent me so I don't do anything stupid the only thing running on my PCis norton so the only thing I should have to do is right click the icon and click disable auto protect right?

#20 andyspeake

andyspeake

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts
  • Interests:Fooball(soccer)

Posted 24 May 2008 - 04:22 PM

Yep thats the one, basically disable nortons realtime protection.

#21 Tmicrochip

Tmicrochip

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 24 May 2008 - 04:32 PM

Alrighty. Well I'm going to go for it. I'll write back in a bit.

#22 Tmicrochip

Tmicrochip

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 24 May 2008 - 04:44 PM

Ok, a save run of Combofix has happend. :-) *sigh*

So here's the CF log.

ComboFix 08-05-21.3 - Terry 2008-05-24 17:35:38.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.667 [GMT -5:00]
Running from: C:\Documents and Settings\Terry\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NAVAPSVC
-------\Service_navapsvc


((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.

2008-05-24 02:41 . 2008-05-24 02:41 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-23 21:05 . 2004-08-04 07:00 10,096,640 --a--c--- C:\WINDOWS\system32\dllcache\hwxcht.dll
2008-05-23 21:04 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-05-23 21:02 . 2004-08-04 07:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-05-23 21:02 . 2008-05-23 21:02 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-05-23 21:02 . 2008-05-23 21:02 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-05-23 21:02 . 2008-05-23 21:02 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-05-23 21:02 . 2008-05-23 21:02 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-05-23 21:02 . 2008-05-23 21:02 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-05-21 19:28 . 2008-05-21 19:28 10,240 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-05-13 15:49 . 2008-05-13 16:00 <DIR> d-------- C:\Documents and Settings\Terry\Application Data\OfficeUpdate12
2008-05-11 11:48 . 2008-05-11 11:49 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-11 11:48 . 2008-05-11 11:48 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-11 11:48 . 2008-05-11 11:48 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-11 11:47 . 2008-05-11 11:47 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-11 10:21 . 2008-05-11 10:21 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-11 07:56 . 2008-05-11 07:56 <DIR> d-------- C:\WINDOWS\EHome
2008-05-11 07:46 . 2004-08-03 22:29 701,440 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-05-11 05:24 . 2008-05-23 23:22 147 --a------ C:\WINDOWS\wininit.ini
2008-05-11 05:06 . 2008-05-11 05:06 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-11 04:08 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\usbaudio.sys
2008-05-11 00:41 . 2008-05-11 00:41 <DIR> d-------- C:\Program Files\HOJY TECH
2008-05-10 23:50 . 2008-05-15 01:48 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-10 23:50 . 2008-05-10 23:50 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-25 11:34 . 2008-04-25 11:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 22:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-24 20:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-24 03:56 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 05:17 --------- d-----w C:\Program Files\Steam
2008-05-13 23:21 --------- d-----w C:\Program Files\World of Warcraft
2008-05-11 10:26 --------- d-----w C:\Program Files\Norton AntiVirus
2008-05-11 05:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-28 23:21 --------- d-----w C:\Program Files\DivX
2008-04-25 16:34 --------- d-----w C:\Program Files\Apple Software Update
2008-04-17 00:56 524,288 ----a-w C:\WINDOWS\opuc.dll
2008-04-14 00:11 94,208 ----a-w C:\WINDOWS\system32\eappgnui.dll
2008-04-14 00:09 6,144 ----a-w C:\WINDOWS\system32\kbdpash.dll
2008-04-14 00:09 6,144 ----a-w C:\WINDOWS\system32\kbdnepr.dll
2008-04-14 00:09 6,144 ----a-w C:\WINDOWS\system32\kbdiultn.dll
2008-04-14 00:09 6,144 ----a-w C:\WINDOWS\system32\kbdbhc.dll
2008-04-13 18:40 10,240 ----a-w C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-04-13 18:14 76,800 ----a-w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 17:27 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-13 16:36 144,384 ----a-w C:\WINDOWS\system32\drivers\hdaudbus.sys
2008-04-11 20:41 --------- d-----w C:\Program Files\QuickTime
2008-04-11 20:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-31 21:25 831,488 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-27 05:41 --------- d-----w C:\Program Files\CCleaner
2008-03-21 20:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 -c--a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 -c--a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 -c--a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 196,608 -c--a-w C:\WINDOWS\system32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-10-03 03:23 22,328 -c--a-w C:\Documents and Settings\Terry\Application Data\PnkBstrK.sys
2006-05-03 07:46 32 -csha-w C:\WINDOWS\{05C80C75-64C6-4435-B37F-A969DD3EB668}.dat
2006-05-03 07:46 32 -csha-w C:\WINDOWS\system32\{07929BDE-01F0-40C9-9F93-7A27C1098F63}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 16:11 54296]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 16:11 58392]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 07:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 07:00 44032]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 09:04 54936]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 07:00 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"= ctwdm32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a--c--- 2006-08-01 15:35 67112 C:\PROGRA~1\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
--a------ 2001-11-29 01:00 28672 C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 02:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 02:41 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 12:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-11-10 13:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a--c--- 2006-05-03 03:00 100056 C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--a------ 2000-05-11 01:00 90112 C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
--a------ 2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Steam\\SteamApps\\tmicrochip@aol.com\\team fortress 2\\hl2.exe"=
"C:\\Program Files\\Steam\\SteamApps\\tmicrochip@aol.com\\source sdk base\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 uliagpkx;ULi AGP Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\agpkx.sys [2004-07-08 16:58]
R3 ULI5261;ULi Based Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN.SYS [2004-07-26 22:19]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-20 02:00:58 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-05-13 01:15:28 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-05-24 22:40:29 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-24 17:38:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2008-05-24 17:42:07 - machine was rebooted [Terry]
ComboFix-quarantined-files.txt 2008-05-24 22:41:59

Pre-Run: 90,321,408,000 bytes free
Post-Run: 90,440,921,088 bytes free

202 --- E O F --- 2008-05-24 20:55:03


HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:42:25 PM, on 5/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamespot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1190268845296
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

alrighty well good new is my clock is fixed. :-) not sure about the windows update stuff. I'm not gonna do that till we're finished I assume.

#23 andyspeake

andyspeake

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts
  • Interests:Fooball(soccer)

Posted 25 May 2008 - 04:47 AM

b]I'd like you to check (a file/some files) for Viruses.[/b]

C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for
C:\WINDOWS\{05C80C75-64C6-4435-B37F-A969DD3EB668}.dat
C:\WINDOWS\system32\{07929BDE-01F0-40C9-9F93-7A27C1098F63}.dat


  • Copy/Paste the first file on the list into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Note details of any viruses found.
  • Repeat for all files on the list, and post me the details please

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
  • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

So please post back:
4 File uploading results
Malwarebyted Scan results.

#24 Tmicrochip

Tmicrochip

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 25 May 2008 - 04:49 PM

C:\WINDOWS\QTFont.qfn Jotti Results Scan taken on 25 May 2008 20:31:11 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Fortinet Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing C:\WINDOWS\QTFont.for Jotti Results Scan taken on 25 May 2008 20:34:23 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Fortinet Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing Unfortunatly these two... C:\WINDOWS\{05C80C75-64C6-4435-B37F-A969DD3EB668}.dat C:\WINDOWS\system32\{07929BDE-01F0-40C9-9F93-7A27C1098F63}.dat Can not be found. I can't find those two files anywhere. I did windows search, I pulled up hidden files too. I can't find them anywhere. :-\ here's the results from the Malwarebytes scan: Malwarebytes' Anti-Malware 1.12 Database version: 786 Scan type: Full Scan (C:\|D:\|) Objects scanned: 114035 Time elapsed: 31 minute(s), 52 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Ok, it said it sucessfully removed it. So I'm ready for what's next when you are.

#25 andyspeake

andyspeake

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts
  • Interests:Fooball(soccer)

Posted 26 May 2008 - 01:28 AM

Are you having any problems? How is your computer running?

    Advertisements

Register to Remove


#26 Tmicrochip

Tmicrochip

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 26 May 2008 - 01:54 AM

So far so good. Though with this infection. My system has seemed clean for a few days then when I'm away and come back it's going all nuts like trying to send e-mails that norton block from out going over and over. :-\ but... so far. I haven't attempted to see if I can run Windows Update or not. IE6 blows. lol So yeah I guess if that's ok I'm gonna try it.

#27 Tmicrochip

Tmicrochip

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 26 May 2008 - 02:36 AM

Ok, I still can get my Windows Updates to install. I really wonder what could be causing that. I'm quite concerned.

#28 andyspeake

andyspeake

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts
  • Interests:Fooball(soccer)

Posted 26 May 2008 - 07:22 AM

You can Download IE7 from windows update site. There is no signs of malware showing in your log so your updating problem may be a different issue.

  • Please download this tool from Microsoft.
  • Double click on MGADiag.exe to run it.
  • Click Continue.
  • The program will run. It takes a while to finish the diagnosis, please be patient.
  • Once done, click on Copy.
  • Open Notepad and paste the contents in. Save this file and post it in your next reply.


#29 Tmicrochip

Tmicrochip

    New Member

  • Authentic Member
  • Pip
  • 19 posts

Posted 26 May 2008 - 09:05 AM

Diagnostic Report (1.7.0095.0): ----------------------------------------- WGA Data--> Validation Status: Genuine Validation Code: 0 Online Validation Code: N/A Cached Validation Code: N/A Windows Product Key: *****-*****-9GQVJ-3M9RW-RQCV3 Windows Product Key Hash: Msu5GBYnD2wvi8BDkUFm2GlW9/M= Windows Product ID: 76477-OEM-2163574-91301 Windows Product ID Type: 3 Windows License Type: OEM System Builder Windows OS version: 5.1.2600.2.00010300.2.0.hom CSVLK Server: N/A CSVLK PID: N/A ID: {49A454F5-487A-4DC2-A1BB-51EF43E29335}(3) Is Admin: Yes TestCab: 0x0 WGA Version: Registered, 1.7.69.2 Signed By: Microsoft Product Name: N/A Architecture: N/A Build lab: N/A TTS Error: N/A Validation Diagnostic: 025D1FF3-171-1 Resolution Status: N/A WgaER Data--> ThreatID(s): N/A Version: N/A WGA Notifications Data--> Cached Result: 0 File Exists: Yes Version: 1.7.17.0 WgaTray.exe Signed By: Microsoft WgaLogon.dll Signed By: Microsoft OGA Notifications Data--> Cached Result: N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 WGATray.exe Signed By: Microsoft OGAAddin.dll Signed By: N/A, hr = 0x80070002 OGA Data--> Office Status: 109 N/A OGA Version: Registered, 1.6.28.0 Signed By: Microsoft Office Diagnostics: 025D1FF3-171-1 Browser Data--> Proxy settings: N/A User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32) Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe Download signed ActiveX controls: Prompt Download unsigned ActiveX controls: Disabled Run ActiveX controls and plug-ins: Allowed Initialize and script ActiveX controls not marked as safe: Disabled Allow scripting of Internet Explorer Webbrowser control: Disabled Active scripting: Allowed Script ActiveX controls marked as safe for scripting: Allowed File Scan Data--> Other data--> Office Details: <GenuineResults><MachineData><UGUID>{49A454F5-487A-4DC2-A1BB-51EF43E29335}</UGUID><Version>1.7.0095.0</Version><OS>5.1.2600.2.00010300.2.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-RQCV3</PKey><PID>76477-OEM-2163574-91301</PID><PIDType>3</PIDType><SID>S-1-5-21-1708537768-616249376-725345543</SID><SYSTEM><Manufacturer>TBD</Manufacturer><Model>K8 Combo-Z</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>P2.70</Version><SMBIOSVersion major="2" minor="3"/><Date>20060320000000.000000+000</Date></BIOS><HWID>1EEA320F0184A06C</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><BRT/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> Yeah, I can't get any of the updates. it jsut says failed to install update. So no IE7, no anything. :-\

#30 andyspeake

andyspeake

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts
  • Interests:Fooball(soccer)

Posted 26 May 2008 - 02:18 PM

Can you try and describe the problem in detail as much as possible, do they download but don't install, are there any messages, if so can you give me it exactly.

Please go to the Windows Update homepage.

1. Click on "Review your update history" on the left hand side under Options.
2. Find your most recent update failure which should have the circle with a ? next to it
3. Click on this Circle and a small window should pop up.
4. Note down the error code and please include that in your next post.

The code should look like this for example : 0x800706BE

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users