|
|
|
Help I think I have a trojan conhooker virus and I cant get rid of it
|
|
|
sparky322
Newbie
|
12. January 2008 @ 13:38 |
Link to this message
|
Like the subject says I think I have this virus and I dont know how to get rid of it..Here is my logfile from Hijackthis if anyone can help I would appreciate it Thanks in advance Aaron
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:10 PM, on 1/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Java\jre1.6.0\bin\jusched .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customiz...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [70760526] rundll32.exe "C:\WINDOWS\System32\rvgkghen.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\nytqubjo.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 5734 bytes
|
|
Advertisement
|
 |
|
|
Senior Member
|
12. January 2008 @ 22:09 |
Link to this message
|
Hi sparky322, you are correct. There is malware present, but there are also missing entries in the HijackThis log. Usually, this is a clear sign of Vundo. Let's see if we can make those entries show before we clean anything.
Rename HijackThis.exe to any name of your choice.
Run a new scan and post the fresh log.
|
|
sparky322
Newbie
|
12. January 2008 @ 23:59 |
Link to this message
|
Ok I renamed the file and scanned again and this is what came up...thanks for your help
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:23 PM, on 1/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Java\jre1.6.0\bin\jusched .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customiz...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [70760526] rundll32.exe "C:\WINDOWS\System32\rvgkghen.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\nytqubjo.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 5989 bytes
|
Senior Member
|
13. January 2008 @ 01:21 |
Link to this message
|
You didn't rename the HijackThis.exe
In bold is what you need to rename:
C:\HijackThis\HijackThis.exe
Please rename that, then run a new scan.
|
|
sparky322
Newbie
|
13. January 2008 @ 17:31 |
Link to this message
|
Ok I am really a novice at this stuff I know just enough to screw everything up and not be able to fix it....I think I renamed it right this time...thanks for your patience
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:28:05 PM, on 1/13/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\Not Hijack.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customiz...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5F38A207-DF46-47F4-A39B-A8FA81F091EC} - C:\DOCUME~1\Katie\LOCALS~1\Temp\byvtu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: {ff76d72c-0d2f-8148-ca34-4ba59cba13c7} - {7c31abc9-5ab4-43ac-8418-f2d0c27d67ff} - C:\WINDOWS\System32\nwfkghjs.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [70760526] rundll32.exe "C:\WINDOWS\System32\rvgkghen.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\nytqubjo.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 6358 bytes
|
Senior Member
|
14. January 2008 @ 00:27 |
Link to this message
|
Ahh yes, there we go. Now they're showing like they should.
Note: you may want to print these instructions for easier reference.
Locate and delete the following:
C:\WINDOWS\System32\rvgkghen.dll
Run a scan with HijackThis and place a check beside the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customiz...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {5F38A207-DF46-47F4-A39B-A8FA81F091EC} - C:\DOCUME~1\Katie\LOCALS~1\Temp\byvtu.dll
O2 - BHO: {ff76d72c-0d2f-8148-ca34-4ba59cba13c7} - {7c31abc9-5ab4-43ac-8418-f2d0c27d67ff} - C:\WINDOWS\System32\nwfkghjs.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [70760526] rundll32.exe "C:\WINDOWS\System32\rvgkghen.dll",b
Close all windows except HijackThis, then click "Fix checked".
Go to Start > Run > type services.msc and press Enter.
Locate the following: DomainService
Right-click "DomainService" and select "Properties".
Beside "Startup type" click the drop-down menu and select "Disabled".
Click OK and then close Services.
Open HijackThis.
Click "Main menu".
Click "Open the misc tools section".
Click "Delete an NT Service".
Paste this into the box: DomainService
Click OK.
When prompted to restart, click OK.
After the restart, go here and download CCleaner.
Note: If you do not want Yahoo! Toolbar uncheck the option when installing.
Open CCleaner.
Click Options > Advance > uncheck "Only delete files in Windows Temp folders older than 48 hours".
Close all windows except CCleaner.
Click "Cleaner" > "Run Cleaner".
Exit CCleaner.
Then, go here to download the Kaspersky Virus Scanner.
Click "Download now".
After downloading, install.
Click "Next" on every option to accept default settings and click the "Complete" button for a full install.
After installing, you'll be taken to the Update page.
Click "Update now".
After the update, click "Close", then click "Next".
Uncheck "At program startup", then click "Next".
Click "Next" again, and then "Finish" to restart your computer.
After the restart, double-click the "K" icon in your system tray.
Select your C: drive and then click "Scan".
After the scan, click "All reports".
Click the completed scan to highlight it.
Click "Save as" and save the report to your desktop.
Close the Kaspersky Scanner.
Run a new scan with HijackThis to get a fresh log.
Please post the new HijackThis log along with the Kaspersky report.
|
|
sparky322
Newbie
|
14. January 2008 @ 19:25 |
Link to this message
|
I am having a hard time locating that file, I looked under my computer hard drive c, system 32 and its no where to be found in that folder. I tried to do a file search and it came back empty as well. Am I going about deleting this file the wrong way? I will attach another log file for you to view but I believe I still see the file like the last log file....thanks again for your help and patience.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:21:08 PM, on 1/14/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\Not Hijack.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customiz...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5F38A207-DF46-47F4-A39B-A8FA81F091EC} - C:\DOCUME~1\Katie\LOCALS~1\Temp\byvtu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: {ff76d72c-0d2f-8148-ca34-4ba59cba13c7} - {7c31abc9-5ab4-43ac-8418-f2d0c27d67ff} - C:\WINDOWS\System32\nwfkghjs.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [70760526] rundll32.exe "C:\WINDOWS\System32\rvgkghen.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\nytqubjo.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 6391 bytes
|
Senior Member
|
14. January 2008 @ 19:39 |
Link to this message
|
|
It's most likely hidden, but that's okay. Just continue with the instructions. We'll deal with it after I see the Kaspersky report.
|
|
sparky322
Newbie
|
15. January 2008 @ 19:35 |
Link to this message
|
Ok I followed your instructions and here are the two log files you asked for, thanks again so much for all your help.
Kaspersky Report:
Protection
----------
Total scanned: 240239
Detected: 1
Untreated: 0
Start time: 1/15/2008 5:47:46 PM
Duration: 00:00:01
Finish time: 1/15/2008 5:47:47 PM
Detected
--------
Status Object
------ ------
deleted: Trojan program Trojan-Downloader.Win32.PurityScan.fe File: C:\Program Files\Norton AntiVirus\Quarantine\517A0BA1//CryptFF//PE_Patch.UPX//UPX
Events
------
Time Event
---- -----
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{080F1793-0E35-4658-9F04-7B77EE293F02}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{25F128DE-4506-4CA2-8328-E88E923ADDBC}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{32EC4470-E147-415D-A734-EF6D9FD0F847}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{3CF1E794-78E0-485D-B6DE-303E7CC1C3F2}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{4C55F23C-DC30-44BB-81F9-D3F0742B6AF9}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{4FC241E8-226D-4C2B-943B-FDED191A9AF3}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{63F361AF-F466-49EA-AF9E-514C5D4D02EF}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{6714C86A-2AEF-46BF-8666-FB17484B5921}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{7D4746F2-699B-44E5-975F-DAA1172AA61B}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{A5A857F2-4F7E-4758-A87C-B595EB54E8CA}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{AE811B9A-655D-4F75-9906-426361B5626C}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{B673F6C3-B537-41B9-81C2-A5BD8F1ABC07}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{B6F3A572-F74B-4BF2-90BB-DEA1539ADFB6}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{B737C7A8-9779-4ED1-9AEB-AAEF81653981}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{CA4A8D0B-91CB-4CE8-826D-0586C45EF04F}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{CD31413E-F514-48D4-8936-3D8590FB76EA}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{D74EFB1D-6DEA-4699-93DD-7D24AFD5E54E}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{EBBAEB19-3BCD-4576-B87C-A3525A9300FB}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/{EBCE40B4-7CDB-46CA-BCBE-6D58ED354832}: is password protected.
1/15/2008 6:09:52 PM File C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 01-02-2008 - 23-48-35.SBU/backup.db: is password protected.
1/15/2008 6:46:25 PM File C:\Program Files\Norton AntiVirus\Quarantine\517A0BA1//CryptFF//PE_Patch.UPX//UPX: detected Trojan program 'Trojan-Downloader.Win32.PurityScan.fe'.
1/15/2008 6:46:25 PM Security threats have been detected. You are advised to neutralize them immediately.
1/15/2008 6:46:25 PM File C:\Program Files\Norton AntiVirus\Quarantine\517A0BA1//CryptFF//PE_Patch.UPX//UPX: is still infected, postponed.
1/15/2008 6:46:50 PM File c:\program files\norton antivirus\quarantine\517a0ba1//CryptFF//PE_Patch.UPX//UPX: detected Trojan program 'Trojan-Downloader.Win32.PurityScan.fe'.
1/15/2008 6:47:29 PM File c:\program files\norton antivirus\quarantine\517a0ba1: deleted.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070109172812.zip/owner@2o7[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070109172812.zip/owner@advertising[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070109172812.zip/owner@atdmt[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070109172812.zip/owner@doubleclick[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070109172812.zip/owner@edge.ru4[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070109172812.zip/owner@fastclick[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070109172812.zip/owner@ehg-wachovia.hitbox[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070109172812.zip/owner@hitbox[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070109172812.zip/owner@mediaplex[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070109172812.zip/owner@realmedia[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070109172812.zip/owner@trafficmp[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070109172812.zip/owner@tribalfusion[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@ad.yieldmanager[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@adinterax[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@adlegend[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@atdmt[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@atdmt[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@att[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@atwola[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@casalemedia[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@doubleclick[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@doubleclick[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@insightexpressai[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@mediaplex[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@questionmarket[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070508170705.zip/owner@zedo[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@ad.yieldmanager[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@adinterax[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@adinterax[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@adlegend[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@adlegend[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@advertising[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@atdmt[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@atdmt[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@doubleclick[2].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@mediaplex[1].txt: is password protected.
1/15/2008 6:56:20 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@mediaplex[1].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@ads.pointroll[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@questionmarket[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070614160346.zip/owner@questionmarket[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070708182021.zip/owner@ad.yieldmanager[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070708182021.zip/owner@ad.yieldmanager[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070708182021.zip/owner@adinterax[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070708182021.zip/owner@adinterax[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070708182021.zip/owner@adlegend[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070708182021.zip/owner@atdmt[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070708182021.zip/owner@atdmt[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070708182021.zip/owner@doubleclick[1].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070708182021.zip/owner@doubleclick[1].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070708182021.zip/owner@mediaplex[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070708182021.zip/owner@mediaplex[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070917215720.zip/owner@www.lowermybills[1].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070917215720.zip/owner@partner2profit[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070917215720.zip/owner@register[1].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20070917215720.zip/owner@register[3].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071002022113.zip/owner@register[2].txt: is password protected.
1/15/2008 6:56:21 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071002022113.zip/owner@adopt.specificclick[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071112152929.zip/owner@att[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071112152929.zip/owner@att[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071112152929.zip/owner@register[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071112152929.zip/owner@register[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071217041835.zip/owner@exitexchange[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071217041835.zip/owner@interclick[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071217041835.zip/owner@ads.mediamayhemcorp[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071217041835.zip/owner@adopt.specificclick[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071217041835.zip/owner@adopt.specificclick[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@ad.yieldmanager[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@ad.yieldmanager[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@advertising[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@advertising[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@atdmt[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@atdmt[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@doubleclick[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@doubleclick[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@loc1.hitsprocessor[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@mediaplex[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@mediaplex[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@mygeek[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@questionmarket[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@questionmarket[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@tacoda[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@zedo[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071219214529.zip/owner@zedo[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071222114411.zip/owner@enhance[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071222114411.zip/owner@quantserve[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071224120410.zip/owner@mygeek[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071224120410.zip/owner@mygeek[1].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071224120410.zip/owner@quantserve[2].txt: is password protected.
1/15/2008 6:56:22 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071224120410.zip/owner@quantserve[2].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@adrevolver[2].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@adrevolver[3].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@media.adrevolver[2].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@specificclick[2].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@atdmt[2].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@atdmt[2].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@burstnet[2].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@www.burstnet[1].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@mediaplex[2].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@mediaplex[2].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@mygeek[2].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@ads.pointroll[1].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@adopt.specificclick[1].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@adopt.specificclick[1].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@tacoda[2].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@tacoda[2].txt: is password protected.
1/15/2008 6:56:23 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071228184538.zip/owner@anad.tacoda[1].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@specificclick[1].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@atdmt[1].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@burstnet[2].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@burstnet[2].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@www.burstnet[1].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@www.burstnet[1].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@doubleclick[1].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@doubleclick[1].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@adopt.specificclick[1].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@adopt.specificclick[1].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@tacoda[2].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@tacoda[2].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@anad.tacoda[2].txt: is password protected.
1/15/2008 6:56:24 PM File C:\Program Files\Yahoo!\YPSR\Quarantine\20071229022729.zip/owner@anat.tacoda[1].txt: is password protected.
Reports
-------
Component Status Start Finish Size
--------- ------ ----- ------ ----
Update completed 1/15/2008 5:45:52 PM 1/15/2008 5:47:10 PM 146.9 KB
Scan completed 1/15/2008 5:47:59 PM 1/15/2008 7:26:15 PM 48.3 MB
Quarantine
----------
Status Object Size Added
------ ------ ---- -----
Backup
------
Status Object Size
------ ------ ----
Infected: Trojan program Trojan-Downloader.Win32.PurityScan.fe c:\program files\norton antivirus\quarantine\517a0ba1 73.6 KB
Hijack This Log File:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:28 PM, on 1/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BigFix\BigFix.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\Not Hijack.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F169FD4D-A3CE-4131-9288-B1EB96F62879} - C:\DOCUME~1\Katie\LOCALS~1\Temp\byvtu.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 6157 bytes
|
Senior Member
|
15. January 2008 @ 21:01 |
Link to this message
|
Alright, HijackThis log is looking better, but a trojan still remains.
Download VundoFix to your desktop.
Double-click VundoFix.exe to run it.
Click "Scan for Vundo".
Once it's done scanning, click "Remove Vundo".
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
VundoFix will create a log at C:\vundofix.txt.
Empty the quarantine for each of the following:
SUPERAntiSpyware
Norton AntiVirus
Yahoo! Anti-Spy
Run a new scan with HijackThis to get a fresh log.
Please post back with the VundoFix log and the new HijackThis log.
-----------------------------------------------------
You have two antivirus programs running. This can cause conflicts and may produce false positives. You need to choose the one you like best (Norton or AVG) and uninstall the other. My recommendation would be to uninstall Norton as it is a heavy resource program. If you choose to uninstall Norton let me know because to fully remove it from your computer you will need to do a few things.
You may also uninstall the Kaspersky Scanner, but if you choose to keep it, fix this entry with HijackThis: (prevents running on startup)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
|
|
sparky322
Newbie
|
16. January 2008 @ 16:26 |
Link to this message
|
Well its good to hear that we are making progress but still keep getting pop-ups....I had already downloaded the Vundofix last week sometime and ran it, when I ran it today it didn't see any trojans, I deleted all the quarantine from the 3 files you mentioned. Norton didn't have any, yahoo at about 69, and the other one had alot I believe it called it the virus vault not the quarantine so I hope I deleted the right stuff.
I was interested in deleting the norton file so if you could explain how to do that I would appreciate it.
Here is the logfile you asked for not real sure if you want to see the old vundo log or since its clean you want to take another route. Thanks again
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:57 PM, on 1/16/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BigFix\BigFix.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\Not Hijack.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F169FD4D-A3CE-4131-9288-B1EB96F62879} - C:\DOCUME~1\Katie\LOCALS~1\Temp\byvtu.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 5953 bytes
|
Senior Member
|
16. January 2008 @ 17:01 |
Link to this message
|
You're still getting popups because Vundo is still present. It is in a temp folder so that may be the reason VundoFix cannot see it. Let's try deleting it manually.
Go here and download KillBox to your desktop.
Open Killbox.
Check "Unregister dll Before Deleting"
Next, in the "Full Path of File to Delete" box, copy/paste the following(in bold).
C:\Documents and Settings\Katie\Local Settings\Temp\byvtu.dll
Then, click the red button with a white X.
You will be prompted to confirm, click "Yes".
Close KillBox.
Next, run a scan with HijackThis and check and fix this entry(if there):
O2 - BHO: (no name) - {F169FD4D-A3CE-4131-9288-B1EB96F62879} - C:\DOCUME~1\Katie\LOCALS~1\Temp\byvtu.dll
Restart your computer.
Run a scan HijackThis to get a fresh log and post it.
As for removing Norton, we will do that once we know your computer is clean. There are also some other updates that need to be installed, but not until the computer is clean of malware.
|
|
bluecoal
Suspended due to non-functional email address
|
16. January 2008 @ 17:21 |
Link to this message
|
It's my understanding that vundofix gets updates, it might be worthwhile to download a fresh copy and try again.
Also, if you right click the white space in the middle of the vundofix screen, you can get to a screen where you can add file paths of files you want to delete, you could try that for your stubborn file too.
|
|
sparky322
Newbie
|
16. January 2008 @ 18:06 |
Link to this message
|
|
I followed your directions and downloaded the killbox program, it said it was unable to delete the file. I did check the right box like you had instructed, so whats the next step...thanks again for all your time.
|
|
sparky322
Newbie
|
16. January 2008 @ 18:10 |
Link to this message
|
Not sure if it matters but here is the updated logfile
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:06:24 PM, on 1/16/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BigFix\BigFix.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\Not Hijack.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {329D4271-49D5-42D0-9D95-5D85A3006782} - C:\DOCUME~1\Katie\LOCALS~1\Temp\byvtu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 5726 bytes
|
Senior Member
|
16. January 2008 @ 18:47 |
Link to this message
|
Try deleting it with KillBox in safe mode.
Save those KillBox instructions to Notepad if you need them.
Restart your computer. Before the Windows load screen press F8, select "Safe Mode" from the menu and press Enter.
Then, follow the KillBox instructions.
If KillBox still cannot delete the file, try deleting it with VundoFix manually as bluecoal suggested. Do this in normal mode.
Open VundoFix.
Right-click the white window and select "Add more files?"
Paste this into the first box: C:\Documents and Settings\Katie\Local Settings\Temp\byvtu.dll
Paste this into the second box: utvyb.*
Click the "Add files" button.
Then, click the "Close window" button.
Finally, click "Remove Vundo".
Then, after the restart fix that entry with HijackThis mentioned in my last post.
Run a new scan and post the fresh log.
Edit: if you have to use VundoFix to delete the file, please post the VundoFix log along with your HijackThis log.
This message has been edited since posting. Last time this message was edited on 16. January 2008 @ 18:53
|
|
sparky322
Newbie
|
16. January 2008 @ 20:10 |
Link to this message
|
I deleted the file manually using the vundo program and then I fixed it with hijack this here is the logfile:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:08:22 PM, on 1/16/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HijackThis\Not Hijack.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 5605 bytes
|
Senior Member
|
16. January 2008 @ 22:14 |
Link to this message
|
Does the VundoFix log report deleting the file?
|
|
KotaGuy
Member
|
17. January 2008 @ 13:11 |
Link to this message
|
Hey there Niobis.
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
Note the space between the "k" and the "."
This Vundo infection is the new thing its been doing... namely infecting files. That qttask .exe is infected. Vundo will have appeneded itself to that file... its probably grown by about 300kb or so from the size it should be.
A ComboFix scan will show it and using CFScript.txt with File::, RenV::, and Registry:: sections you can deal with the rest of the files its dropped and infected.
It typically has a couple new reg entries it loads itself into that need to be turfed as well... particularily the lsa Key which will need to be overwritten with the proper Hex.
|
Senior Member
|
17. January 2008 @ 13:58 |
Link to this message
|
Wow, thanks for that KotaGuy. I never would have saw that. Looking into it now.
|
|
KotaGuy
Member
|
17. January 2008 @ 14:07 |
Link to this message
|
No problem :)
The ComboFix scan may show other files that have been infected as well.
This new version of Vundo can be a right pain to get rid of.
|
|
sparky322
Newbie
|
17. January 2008 @ 16:15 |
Link to this message
|
The vundofix log file shows the file deleted but here is the report:
VundoFix V6.7.7
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Scan started at 11:07:41 PM 1/2/2008
Listing files found while scanning....
C:\WINDOWS\system32\byteaqou.dll
C:\WINDOWS\system32\chjufjuc.ini
C:\WINDOWS\system32\cujfujhc.dll
C:\WINDOWS\system32\ddafqqqu.dll
C:\WINDOWS\system32\gmmetpti.dll
C:\WINDOWS\system32\gqwecopj.dll
C:\WINDOWS\system32\gsscikti.dll
C:\WINDOWS\system32\gypqyghg.dll
C:\WINDOWS\system32\hrmnpftw.dll
C:\WINDOWS\system32\idymjlvi.dll
C:\WINDOWS\system32\kawpcesa.dll
C:\WINDOWS\system32\kceypbrt.dll
C:\WINDOWS\system32\khfgggg.dll
C:\WINDOWS\system32\kkcvhwbn.dll
C:\WINDOWS\system32\pnuufvoe.dll
C:\WINDOWS\system32\rcvuustn.dll
C:\WINDOWS\system32\rypbunai.dll
C:\WINDOWS\system32\vwtyknjm.dll
C:\WINDOWS\system32\xisdgpxq.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\byteaqou.dll
C:\WINDOWS\system32\byteaqou.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\chjufjuc.ini
C:\WINDOWS\system32\chjufjuc.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\cujfujhc.dll
C:\WINDOWS\system32\cujfujhc.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ddafqqqu.dll
C:\WINDOWS\system32\ddafqqqu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gmmetpti.dll
C:\WINDOWS\system32\gmmetpti.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gqwecopj.dll
C:\WINDOWS\system32\gqwecopj.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gsscikti.dll
C:\WINDOWS\system32\gsscikti.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gypqyghg.dll
C:\WINDOWS\system32\gypqyghg.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\hrmnpftw.dll
C:\WINDOWS\system32\hrmnpftw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\idymjlvi.dll
C:\WINDOWS\system32\idymjlvi.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\kawpcesa.dll
C:\WINDOWS\system32\kawpcesa.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\kceypbrt.dll
C:\WINDOWS\system32\kceypbrt.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\khfgggg.dll
C:\WINDOWS\system32\khfgggg.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\kkcvhwbn.dll
C:\WINDOWS\system32\kkcvhwbn.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pnuufvoe.dll
C:\WINDOWS\system32\pnuufvoe.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rcvuustn.dll
C:\WINDOWS\system32\rcvuustn.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rypbunai.dll
C:\WINDOWS\system32\rypbunai.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vwtyknjm.dll
C:\WINDOWS\system32\vwtyknjm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\xisdgpxq.dll
C:\WINDOWS\system32\xisdgpxq.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
VundoFix V6.7.7
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Scan started at 12:28:38 PM 1/12/2008
Listing files found while scanning....
C:\WINDOWS\system32\bduxkptl.dll
C:\WINDOWS\system32\drgjjhtr.ini
C:\WINDOWS\system32\drhdjrty.dll
C:\WINDOWS\system32\hnbojndg.exe
C:\WINDOWS\system32\hwabwymj.dll
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\isvunuey.dll
C:\WINDOWS\system32\lxgtdxtt.dll
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\system32\pcfihoaw.dll
C:\WINDOWS\system32\rthjjgrd.dll
C:\WINDOWS\system32\ssvpdqdi.dll
C:\WINDOWS\system32\svgulryv.dll
C:\WINDOWS\system32\ttxdtgxl.ini
C:\WINDOWS\system32\ujqgadkd.dll
C:\WINDOWS\system32\yddigdyk.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\bduxkptl.dll
C:\WINDOWS\system32\bduxkptl.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\drgjjhtr.ini
C:\WINDOWS\system32\drgjjhtr.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\drhdjrty.dll
C:\WINDOWS\system32\drhdjrty.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\hnbojndg.exe
C:\WINDOWS\system32\hnbojndg.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\hwabwymj.dll
C:\WINDOWS\system32\hwabwymj.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxtray.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\isvunuey.dll
C:\WINDOWS\system32\isvunuey.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\lxgtdxtt.dll
C:\WINDOWS\system32\lxgtdxtt.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\system32\NeroCheck.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\pcfihoaw.dll
C:\WINDOWS\system32\pcfihoaw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rthjjgrd.dll
C:\WINDOWS\system32\rthjjgrd.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\ssvpdqdi.dll
C:\WINDOWS\system32\ssvpdqdi.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\svgulryv.dll
C:\WINDOWS\system32\svgulryv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ttxdtgxl.ini
C:\WINDOWS\system32\ttxdtgxl.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\ujqgadkd.dll
C:\WINDOWS\system32\ujqgadkd.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\yddigdyk.dll
C:\WINDOWS\system32\yddigdyk.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\rthjjgrd.dll
C:\WINDOWS\system32\rthjjgrd.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.7.7
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Scan started at 8:28:51 PM 1/12/2008
Listing files found while scanning....
No infected files were found.
VundoFix V6.7.7
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Scan started at 3:54:25 PM 1/16/2008
Listing files found while scanning....
No infected files were found.
VundoFix V6.7.7
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Scan started at 4:13:11 PM 1/16/2008
Listing files found while scanning....
No infected files were found.
Beginning removal...
Attempting to delete C:\Documents and Settings\Katie\Local Settings\Temp\byvtu.dll
C:\Documents and Settings\Katie\Local Settings\Temp\byvtu.dll Has been deleted!
Performing Repairs to the registry.
Done!
Looking at the last couple post they are completely over my head..so I think what I got from them is that I still have some work to do in order to get rid of this thing so...let me know the next step whenever you guys can...thanks again for all the work so far!
|
Senior Member
|
17. January 2008 @ 16:31 |
Link to this message
|
Thanks for the VundoFix log. KotaGuy pointed out the Vundo has infected other files. ComboFix will show us these.
Download ComboFix.exe to the desktop from here.
Open ComboFix.exe and follow the prompts.
Note: Do not mouseclick ComboFix's window while it's running, it may cause it to stall.
When finished, it will produce a log for you. Please post that log.
This message has been edited since posting. Last time this message was edited on 17. January 2008 @ 16:31
|
|
sparky322
Newbie
|
17. January 2008 @ 16:58 |
Link to this message
|
Here is the logfile from the combofix program:
ComboFix 08-01-18.1 - Owner 2008-01-17 16:45:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.116 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\My Documents\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\adaway.lic
C:\WINDOWS\smante~1
C:\WINDOWS\system32\altgkkid.ini
C:\WINDOWS\system32\chxkcksg.ini
C:\WINDOWS\system32\dkdagqju.ini
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\eftxjpkb.ini
C:\WINDOWS\system32\ghgyqpyg.ini
C:\WINDOWS\system32\ieeaietj.ini
C:\WINDOWS\system32\jpihyvlm.ini
C:\WINDOWS\system32\nehgkgvr.ini
C:\WINDOWS\system32\pgdksury.ini
C:\WINDOWS\system32\qlqvqarv.ini
C:\WINDOWS\system32\rcigiqjb.ini
C:\WINDOWS\system32\trbpyeck.ini
C:\WINDOWS\system32\uvwtjwvr.ini
C:\WINDOWS\system32\vlrecmki.ini
C:\WINDOWS\system32\vpssojsc.ini
C:\WINDOWS\system32\vyrlugvs.ini
C:\WINDOWS\system32\wfnvbsym.ini
C:\WINDOWS\system32\wtfpnmrh.ini
C:\WINDOWS\system32\wwenginb.ini
C:\WINDOWS\system32\xecbislv.ini
C:\WINDOWS\system32\xqsinkph.ini
.
((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.
2008-01-17 16:44 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-17 16:39 . 2008-01-17 16:39 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-17 16:39 . 2008-01-17 16:39 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-15 17:43 . 2008-01-15 17:43 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-15 16:59 . 2008-01-16 16:30 1,625,376 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-15 16:59 . 2008-01-16 16:30 39,712 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-15 16:59 . 2008-01-16 16:30 22,844 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-15 16:59 . 2008-01-16 16:30 4,796 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-15 16:53 . 2008-01-15 16:53 <DIR> d-------- C:\KAV
2008-01-15 16:43 . 2008-01-15 16:43 <DIR> d-------- C:\Program Files\CCleaner
2008-01-12 15:47 . 2008-01-16 16:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-12 15:44 . 2008-01-12 15:44 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-12 15:44 . 2008-01-12 15:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-12 15:44 . 2008-01-12 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-12 15:23 . 2008-01-16 20:08 <DIR> d-------- C:\HijackThis
2008-01-12 13:23 . 2008-01-12 13:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-12 13:01 . 2007-08-01 16:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-12 13:00 . 2008-01-12 13:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\HouseCall 6.6
2008-01-12 11:35 . 2008-01-12 11:35 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-12 11:35 . 2008-01-12 11:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-12 11:34 . 2008-01-12 11:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-04 04:50 . 2008-01-04 04:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TrojanHunter
2008-01-03 19:34 . 2008-01-05 13:07 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-01-02 23:25 . 2008-01-05 13:06 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-02 23:25 . 2008-01-02 23:25 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-01-02 23:25 . 2008-01-02 23:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-02 23:07 . 2008-01-16 20:03 <DIR> d-------- C:\VundoFix Backups
2008-01-02 21:55 . 2008-01-04 17:34 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-02 21:55 . 2008-01-03 16:19 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-02 21:55 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-01-02 21:52 . 2008-01-02 23:19 <DIR> d-------- C:\Program Files\Norton Security Scan
2008-01-02 21:35 . 2008-01-09 15:44 13,312 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-26 15:55 . 2008-01-09 15:43 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2007-12-24 12:59 . 2008-01-16 20:13 <DIR> d-------- C:\Program Files\iTunes
2007-12-24 12:59 . 2007-12-24 12:59 <DIR> d-------- C:\Program Files\iPod
2007-12-24 12:52 . 2008-01-12 16:35 <DIR> d-------- C:\Program Files\QuickTime
2007-12-24 12:47 . 2007-12-24 12:47 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-24 12:47 . 2007-12-24 12:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-24 11:39 . 2007-12-24 11:39 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\Apple Computer
2007-12-24 11:35 . 2004-06-23 13:39 <DIR> d--h----- C:\Documents and Settings\Katie\WLANProfiles
2007-12-24 11:35 . 2004-06-23 13:17 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\Symantec
2007-12-24 11:35 . 2004-06-23 14:18 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\CyberLink
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 01:21 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-01-16 01:05 --------- d-----w C:\Program Files\OpenOffice.org 2.2
2008-01-13 05:39 --------- d-----w C:\Program Files\Yahoo!
2008-01-12 21:33 --------- d-----w C:\Program Files\SymNetDrv
2008-01-12 21:33 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-12 16:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2007-12-04 22:42 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2007-12-02 03:57 --------- d-----w C:\Documents and Settings\Owner\Application Data\Move Networks
.
<pre>
----a-w 185,632 2008-01-04 22:45:01 C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w 71,280 2008-01-04 22:44:46 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 124,096 2008-01-12 17:42:23 C:\Program Files\Common Files\Symantec Shared\CfgWiz .exe
----a-w 32,768 2008-01-12 17:42:25 C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
----a-w 86,016 2008-01-09 20:43:54 C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr .exe
----a-w 267,048 2008-01-12 17:42:38 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 77,824 2008-01-12 17:42:28 C:\Program Files\Java\jre1.6.0\bin\jusched .exe
----a-w 53,248 2008-01-04 22:44:50 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask .exe
----a-w 286,720 2008-01-01 22:33:11 C:\Program Files\QuickTime\qttask .exe
----a-w 1,065,288 2008-01-03 20:54:17 C:\Program Files\Spyware Doctor\SDTrayApp .exe
----a-w 1,318,912 2008-01-04 22:45:26 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w 95,960 2008-01-12 17:42:28 C:\Program Files\SymNetDrv\SNDMon .exe
----a-w 499,712 2008-01-12 17:42:29 C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w 98,304 2008-01-12 17:42:28 C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
----a-w 13,312 2008-01-09 20:44:10 C:\WINDOWS\system32\ctfmon .exe
----a-w 155,648 2008-01-09 20:43:54 C:\WINDOWS\system32\NeroCheck .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-03-31 07:00 13312]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"PRONoMgr.exe"="C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [ ]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-12 15:44 219136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2003-12-16 18:49 110592 C:\WINDOWS\system32\LgNotify.dll
R0 rmedia;Ricoh MediaCard Driver;C:\WINDOWS\System32\DRIVERS\rmedia.sys [2003-10-20 21:09]
R0 sonyhcb;Sony Digital Imaging Base;C:\WINDOWS\System32\DRIVERS\sonyhcb.sys [2001-11-05 09:23]
S3 sonyhcs;Sony Digital Imaging Video;C:\WINDOWS\System32\DRIVERS\sonyhcs.sys [2001-11-05 09:23]
*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
"2007-03-23 11:17:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-05 17:48:12 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2008-01-03 02:52:41 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2006-12-10 00:51:18 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 16:53:36
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-18 16:56:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-18 21:56:40
|
|
Advertisement
|
|
|
Senior Member
|
17. January 2008 @ 22:59 |
Link to this message
|
Open Notepad.
Copy all the text in bold, then paste it into Notepad.
Folder::
C:\VundoFix Backups
File::
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\NeroCheck .exe
RenV::
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\Common Files\Symantec Shared\CfgWiz .exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Java\jre1.6.0\bin\jusched .exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Spyware Doctor\SDTrayApp .exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\SymNetDrv\SNDMon .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\NeroCheck .exe
Name the file CFScript.txt and save it to your desktop.
Click, drag and drop the CFScript.txt onto the ComboFix.exe icon.
ComboFix will now run a scan on your system. It may reboot your system when it finishes.
When finished, it will produce a log for you.
Please post that log along with a new HijackThis log.
|
|
