1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Spyware problems - hijackthis log included.

Discussion in 'Malware and Virus Removal Archive' started by Alex W, 2006/10/18.

Thread Status:
Not open for further replies.
  1. 2006/10/18
    Alex W

    Alex W Inactive Thread Starter

    Joined:
    2006/08/14
    Messages:
    53
    Likes Received:
    0
    G'day mates, I'm on a friends computer helping him with his spyware problems, from what I can tell there seems to be a number of malicious programs running, he gets pop ups regularly etc.

    Any help would be greatly appreciated.

    Here is the hijack this log file.

    Logfile of HijackThis v1.99.1
    Scan saved at 4:09:44 PM, on 18/10/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Norton Internet Security\ISSVC.exe
    c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\Program Files\dvd43\dvd43_tray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\atwtusb.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\TBLMOUSE.EXE
    C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe "
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
    O4 - HKLM\..\Run: [uhvjsul.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\uhvjsul.dll,mrpmvyf
    O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
    O4 - Global Startup: svchost.exe
    O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash Hunter\save.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash Hunter\save.htm (file missing) (HKCU)
    O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash Hunter\save.htm (file missing) (HKCU)
    O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\FLASHD~1\iebt.dll (HKCU)
    O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\FLASHD~1\iebt.dll (HKCU)
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-30.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
    Alex W,
    #1
  2. 2006/10/18
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Hello and welcome to WindowsBBS Forums.

    Yes I see a couple of items which don't look right\belong.

    Below you will find my results and recommendations. Please read ALL instructions carefully BEFORE proceeding.


    Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It also needs to be removed from the desktop.

    You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. (C:\HJT\HijackThis.exe)Move HijackThis.exe into this folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.


    Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe<<<--this file should not be running from there

    Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

    Be patient as this site is usually very busy.

    Also please submit the file to Norman Sandbox File Submission. A valid email is required but there is no worry as the site is fully trustful. They will send you back a detailed analysis of the file and please post contents of the analysis back here.


    Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY... io&pf=desktop

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY... io&pf=desktop

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY... io&pf=desktop

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY... io&pf=desktop

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =



    O4 - HKLM\..\Run: [uhvjsul.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\uhvjsul.dll,mrpmvyf


    Reboot, into safe mode, this way:
    Turn on the computer
    Immediately begin tapping the <F8> key.
    Use the arrow keys to highlight Safe Mode and press the <Enter> key.

    Also, enable the 'Show Hidden Folders' option, like this:
    Click Start.
    Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.
    Click OK.

    And search for, then delete, if found, (some may not be present after previous steps) the following files/folders:
    C:\WINDOWS\system32\uhvjsul.dll<<<--this file

    To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

    Post a new HJT log back into this thread please.
     
    TeMerc,
    #2


  3. to hide this advert.

  4. 2006/10/18
    Alex W

    Alex W Inactive Thread Starter

    Joined:
    2006/08/14
    Messages:
    53
    Likes Received:
    0
    Ok great, here's the scan from Jotti's malware scan:


    File: svchost.exe
    Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
    MD5 70a78454848b44eb12f308376fb0eec5
    Packers detected: -
    Scanner results
    AntiVir Found Trojan/Drop.VB.LU.2
    ArcaVir Found Trojan.Dropper.Vb.Lu
    Avast Found Win32:Trojan-gen. {VB}
    AVG Antivirus Found Dropper.Generic.DZD
    BitDefender Found Win32.Worm.VB.Ymeak.A
    ClamAV Found Trojan.VB-154
    Dr.Web Found Trojan.MulDrop.3338
    F-Prot Antivirus Found W32/Trojan.CZP
    Fortinet Found W32/Dropper.EM!tr
    Kaspersky Anti-Virus Found Trojan-Dropper.Win32.VB.lu
    NOD32 Found Win32/TrojanDropper.VB.LU
    Norman Virus Control Found W32/Smalldrp.GVT
    VirusBuster Found Trojan.DR.VB.WED
    VBA32 Found Trojan-Dropper.Win32.VB.lu


    and here's the scan from the Norman Sandbox Information Center:

    svchost.exe : Not detected by Sandbox (Signature: W32/Smalldrp.GVT)

    [ General information ]
    * Applications uses MSVBVM60.DLL (Visual Basic 6).
    * Form uses id Form.
    * Form uses id Timer.
    * File length: 268800 bytes.
    * MD5 hash: 70a78454848b44eb12f308376fb0eec5.

    [ Process/window information ]
    * Creates a COM object with CLSID {FCFB3D23-A0FA-1068-A738-08002B3371B5} :
    VBRuntime.
    * Creates a COM object with CLSID {E93AD7C1-C347-11D1-A3E2-00A0C90AEA82} :
    VBRuntime6.

    (C) 2004-2006 Norman ASA. All Rights Reserved.

    The material presented is distributed by Norman ASA as an information source
    only.


    Sent by alexwallbank207@hotmail.com. Received 18.Oct 2006 at 10.22 - processed
    18.Oct 2006 at 10.22.


    I followed the other steps and deleted uhvjsul.dll too.



    Here is the new HJT log file after completing the previous steps:

    Logfile of HijackThis v1.99.1
    Scan saved at 6:57:21 PM, on 18/10/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Norton Internet Security\ISSVC.exe
    c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\Program Files\dvd43\dvd43_tray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\atwtusb.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\TBLMOUSE.EXE
    C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe
    C:\HJT\HijackThis.exe

    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe "
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
    O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
    O4 - Global Startup: svchost.exe
    O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash Hunter\save.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash Hunter\save.htm (file missing) (HKCU)
    O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash Hunter\save.htm (file missing) (HKCU)
    O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\FLASHD~1\iebt.dll (HKCU)
    O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\FLASHD~1\iebt.dll (HKCU)
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-30.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
    Alex W,
    #3
  5. 2006/10/18
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    OK, I knew that file was a baddie. :mad:

    As a back up, lets get an online virus scan and fix\remove what's showing.

    Below you will find my results and recommendations. Please read ALL instructions carefully BEFORE proceeding.


    Go to this page, Panda ActiveScan
    • Click the 'Scan your PC' button. ( You may have to disable any pop up blockers)
    • Then press the green 'Check Now' button.
    • Enter your country and state along with a valid email address.
    • Allow the ActiveX install, it may be a few minutes for all components. (For XP SP 2 watch for the yellow bar at the top of IE)
    • Once installation is complete you will need to select a device to scan. Please select 'My Computer' and the scan will begin.
    • Once the scan is done, click the 'See report' button, then the 'save report' button. Be sure to save the log file created in a place easy for you to find.

    Please hit Hit 'Ctrl' + 'Alt' + 'Delete' to bring up running processes and 'End Task' on the following process(es) if present:
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe


    Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

    O4 - Global Startup: svchost.exe


    Reboot, into safe mode, this way:
    Turn on the computer
    Immediately begin tapping the <F8> key.
    Use the arrow keys to highlight Safe Mode and press the <Enter> key.

    Also, enable the 'Show Hidden Folders' option, like this:
    Click Start.
    Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.
    Click OK.

    And search for, then delete, if found, (some may not be present after previous steps) the following files/folders:
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe<<<<---this file*** Note file path, do not delete any other svchost.exes in any other folders.

    To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

    Post a new HJT log back into this thread please.
     
    TeMerc,
    #4
  6. 2006/10/19
    Alex W

    Alex W Inactive Thread Starter

    Joined:
    2006/08/14
    Messages:
    53
    Likes Received:
    0
    Thanks a lot for all the help so far :)

    Firstly, here's the log file from Pandascan:


    Incident Status Location

    Virus:Trj/DisableKey.A Disinfected Operating system
    Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\vhgtwevn.dll
    Virus:W32/Gaobot.MJA.worm Disinfected Operating system
    Potentially unwanted tool:application/bestoffer Not disinfected c:\windows\smdat32m.sys
    Adware:adware/dollarrevenue Not disinfected Windows Registry
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\ndp2afyl.default\cookies.txt[.atdmt.com/]
    Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\ndp2afyl.default\cookies.txt[.2o7.net/]
    Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\ndp2afyl.default\cookies.txt[statse.webtrendslive.com/]
    Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\ndp2afyl.default\cookies.txt[.casalemedia.com/]
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\ndp2afyl.default\cookies.txt[.bs.serving-sys.com/]
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\ndp2afyl.default\cookies.txt[.serving-sys.com/]
    Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\ndp2afyl.default\cookies.txt[.tribalfusion.com/]
    Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\ndp2afyl.default\cookies.txt[.xiti.com/]
    Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\ndp2afyl.default\cookies.txt[stats1.reliablestats.com/]
    Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@2o7[2].txt
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ad.sensismediasmart.com[1].txt
    Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ad.yieldmanager[1].txt
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atwola[1].txt
    Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@burstnet[2].txt
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@com[1].txt
    Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@did-it[1].txt
    Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@drivecleaner[2].txt
    Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@findwhat[1].txt
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@go[2].txt
    Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@overture[1].txt
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@serving-sys[1].txt
    Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@stats.drivecleaner[1].txt
    Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@stats1.reliablestats[2].txt
    Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@tribalfusion[1].txt
    Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.drivecleaner[1].txt
    Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@xiti[1].txt
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\dpkwfmol.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\epohywlh.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\hstadism.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\ijtrqtst.dll
    Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\isvmrquu.exe
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\kelmjjup.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\mhcffnwl.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\ntarbcvp.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\oqkuovmo.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\oxakpduq.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\pcfmkvjv.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\pechphaf.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\pttfrfcv.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\qwadjqor.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\rmbpmqsm.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\sgkpwfhk.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\ttxmyave.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\tvfvxtbc.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\uelipujb.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\ukuomuto.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\utnplpej.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\vlkamugh.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\wgrpetwd.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\win8EE.tmp.exe
    Virus:Trj/DisableKey.A Disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\win8F2.tmp.exe
    Adware:Adware/SecurityError Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\win8F7.tmp.exe
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\wllklove.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\yksvkxux.dll
    Virus:W32/Gaobot.MJA.worm Disinfected C:\Documents and Settings\Compaq_Owner\Shared\_\xzxzxzxzxzxz.exe
    Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
    Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\Common Files\{3D77C1DF-0D49-1033-0216-05012605003d}\services.dll
    Virus:Trj/DisableKey.A Disinfected C:\RECYCLER\S-1-5-21-3605739851-2827240690-4174217982-1007\Dc2.dll
    Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\cbxusrp.dll
    Dialer:Dialer.HVO Not disinfected C:\WINDOWS\system32\cool.exe
    Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\jqokigwi.dll
    Adware:Adware/WebSearch Not disinfected C:\WINDOWS\system32\rwjkpvnu.dll
    Virus:Trj/DisableKey.A Disinfected C:\WINDOWS\system32\unaoakg.dll
    Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\yvbxnsyj.exe


    (continued...)
     
    Alex W,
    #5
  7. 2006/10/19
    Alex W

    Alex W Inactive Thread Starter

    Joined:
    2006/08/14
    Messages:
    53
    Likes Received:
    0
    And here's the latest HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:30:17 PM, on 19/10/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Norton Internet Security\ISSVC.exe
    c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\Program Files\dvd43\dvd43_tray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\atwtusb.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\TBLMOUSE.EXE
    C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe
    C:\HJT\HijackThis.exe

    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe "
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
    O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
    O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash Hunter\save.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash Hunter\save.htm (file missing) (HKCU)
    O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash Hunter\save.htm (file missing) (HKCU)
    O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\FLASHD~1\iebt.dll (HKCU)
    O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\FLASHD~1\iebt.dll (HKCU)
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-30.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



    Of note:

    In HJT, I was unable to find the entry:

    04 - Global Startup: svchost.exe

    Also, when I booted into safe mode, I was unable to find:

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
     
    Alex W,
    #6
  8. 2006/10/19
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Ok, the Panda scan revealed you have a Vundo infection, so lets use the Vundo removal tool.

    Please download VundoFix.exe to your desktop.
    • Double-click *VundoFix.exe* to run it.
    • Click the *Scan for Vundo* button.
    • Once it's done scanning, click the *Remove Vundo* button.
    • You will receive a prompt asking if you want to remove the files, click *YES*
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click *OK*.
    • Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.

    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the *Scan for Vundo* button." when
    VundoFix appears at reboot.

    Lets also run another file finding tool and see what else is lurking.

    Download combofix.exe
    • Double click combofix.exe & follow the prompts.
    • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    Once both have been run please give me a fresh HJT log file as well, along with the two resultant other logs, thanks.
     
    TeMerc,
    #7
  9. 2006/10/20
    Alex W

    Alex W Inactive Thread Starter

    Joined:
    2006/08/14
    Messages:
    53
    Likes Received:
    0
    Ok, here's the contents of vundofix.txt:


    VundoFix V6.2.6

    Checking Java version...

    Java version is 1.4.2.3

    Java version is 1.5.0.3

    Scan started at 18:20:32 06-10-20

    Listing files found while scanning....

    C:\WINDOWS\system32\cbxusrp.dll
    C:\WINDOWS\system32\ddcca.dll
    C:\WINDOWS\system32\accdd.ini
    C:\WINDOWS\system32\accdd.bak1
    C:\WINDOWS\system32\accdd.bak2
    C:\WINDOWS\system32\jqokigwi.dll
    C:\WINDOWS\system32\rwjkpvnu.dll
    C:\WINDOWS\system32\vhgtwevn.dll
    C:\WINDOWS\system32\yvbxnsyj.exe
    C:\Program Files\Common Files\{3D77C1DF-0D49-1033-0216-05012605003d}\services.dll
    C:\WINDOWS\system32\ddcca.dll
    C:\WINDOWS\system32\accdd.ini
    C:\WINDOWS\system32\accdd.bak1
    C:\WINDOWS\system32\accdd.bak2
    C:\WINDOWS\system32\accdd.ini
    C:\WINDOWS\system32\accdd.bak1
    C:\WINDOWS\system32\accdd.bak2

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\cbxusrp.dll
    C:\WINDOWS\system32\cbxusrp.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ddcca.dll
    C:\WINDOWS\system32\ddcca.dll Could not be deleted.

    Attempting to delete C:\WINDOWS\system32\accdd.ini
    C:\WINDOWS\system32\accdd.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\accdd.bak1
    C:\WINDOWS\system32\accdd.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\accdd.bak2
    C:\WINDOWS\system32\accdd.bak2 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\jqokigwi.dll
    C:\WINDOWS\system32\jqokigwi.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\rwjkpvnu.dll
    C:\WINDOWS\system32\rwjkpvnu.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\vhgtwevn.dll
    C:\WINDOWS\system32\vhgtwevn.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\yvbxnsyj.exe
    C:\WINDOWS\system32\yvbxnsyj.exe Has been deleted!

    Attempting to delete C:\Program Files\Common Files\{3D77C1DF-0D49-1033-0216-05012605003d}\services.dll
    C:\Program Files\Common Files\{3D77C1DF-0D49-1033-0216-05012605003d}\services.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ddcca.dll
    C:\WINDOWS\system32\ddcca.dll Could not be deleted.

    Performing Repairs to the registry.
    Done!

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\ddcca.dll
    C:\WINDOWS\system32\ddcca.dll Has been deleted!

    Performing Repairs to the registry.
    Done!



    And here's the contents of the combofix log:

    Compaq_Owner - 06-10-20 18:36:57.50 Service Pack 2
    ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Compaq_Owner\Desktop "

    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\ismini.exe
    C:\WINDOWS\system32\components
    C:\Program Files\Common Files\{3D77C1DF-0D49-1033-0216-05012605003d}


    ((((((((((((((((((((((((((((((( Files Created from 2006-09-20 to 2006-10-20 ))))))))))))))))))))))))))))))))))


    2006-10-12 20:57 77,824 --a------ C:\WINDOWS\system32\wintab32.dll
    2006-10-11 23:55 917,504 --a------ C:\WINDOWS\system32\TblRes.dll
    2006-10-11 23:55 73,728 --a------ C:\WINDOWS\RmTablet.exe
    2006-10-11 23:55 61,440 --a------ C:\WINDOWS\system32\tblmouse.exe
    2006-10-11 23:55 57,344 --a------ C:\WINDOWS\system32\Tblfunc.dll
    2006-10-11 23:55 57,344 --a------ C:\WINDOWS\system32\Funckey.dll
    2006-10-11 23:55 188,416 --a------ C:\WINDOWS\system32\atwtusb.exe
    2006-09-23 10:32 18,944 --a------ C:\WINDOWS\system32\cool.exe
    2006-09-23 08:59 0 --a------ C:\WINDOWS\system32\taskkill.exe
    2006-09-23 08:59 0 --a------ C:\WINDOWS\b.exe
    2006-09-23 04:23 162,304 --a------ C:\UNWISE.EXE
    2006-09-21 22:42 223,128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
    2006-09-21 22:39 96,256 --a------ C:\WINDOWS\system32\drivers\sptd1485.sys
    2006-09-21 22:39 643,072 --a------ C:\WINDOWS\system32\drivers\sptd.sys


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2006-10-20 18:37 -------- d-------- C:\Program Files\Common Files
    2006-10-19 21:45 -------- d-------- C:\Program Files\Windows Media Player
    2006-10-19 21:44 -------- d-------- C:\Program Files\QuickTime
    2006-10-19 21:43 -------- d-------- C:\Program Files\Norton Internet Security
    2006-10-19 21:42 -------- d-------- C:\Program Files\MSN Messenger
    2006-10-19 21:41 -------- d-------- C:\Program Files\Messenger Plus! Live
    2006-10-19 21:38 -------- d-------- C:\Program Files\iTunes
    2006-10-19 21:37 -------- d-------- C:\Program Files\Internet Explorer
    2006-10-19 21:36 -------- d-------- C:\Program Files\dvd43
    2006-10-19 21:35 -------- d-a------ C:\Program Files\Common Files\LightScribe
    2006-10-19 21:35 -------- d-------- C:\Program Files\Common Files\Symantec Shared
    2006-10-18 15:30 3226 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
    2006-10-18 14:59 -------- d-------- C:\Program Files\BlueVoda Website Builder
    2006-10-18 14:44 720896 --a------ C:\WINDOWS\iun6002.exe
    2006-10-17 19:21 -------- d-------- C:\Program Files\Mozilla Firefox
    2006-10-16 10:54 -------- d-------- C:\Program Files\Macromedia
    2006-10-16 10:49 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Adobe
    2006-10-13 04:04 -------- d--h----- C:\Program Files\InstallShield Installation Information
    2006-10-13 04:01 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Macromedia
    2006-10-11 23:28 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\AdobeUM
    2006-10-11 21:49 -------- d-------- C:\Program Files\StreetFighter Flash
    2006-10-11 21:49 -------- d-------- C:\Program Files\Google
    2006-10-11 21:46 183 --a------ C:\Program Files\2DH7F70P.bat
    2006-10-11 21:46 -------- d-------- C:\Program Files\swfscanner
    2006-09-28 20:39 -------- d-------- C:\Program Files\Adobe
    2006-09-24 10:41 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla
    2006-09-23 21:36 -------- d-------- C:\Program Files\Liatro
    2006-09-23 19:41 -------- d-------- C:\Program Files\CoffeeCup Software
    2006-09-21 22:55 11973 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
    2006-09-21 22:45 -------- d-------- C:\Program Files\Activision
    2006-09-13 15:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
    2006-09-06 03:35 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Ulead Systems
    2006-08-26 01:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
    2006-08-21 22:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
    2006-08-21 19:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
    2006-08-21 19:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
    2006-08-16 21:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
    2006-07-29 19:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
    2006-07-27 23:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
    2006-07-21 18:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "MsnMsgr "= "\ "C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background "
    "BitTorrent "= "\ "C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized "
    "updateMgr "= "C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_0 "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "IMJPMIG8.1 "= "\ "C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32 "
    "MSPY2002 "= "C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC "
    "PHIME2002ASync "= "C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC "
    "PHIME2002A "= "C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName "
    "SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe "
    "hpsysdrv "= "c:\\windows\\system\\hpsysdrv.exe "
    "High Definition Audio Property Page Shortcut "= "HDAudPropShortcut.exe "
    "NvCplDaemon "= "RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup "
    "nwiz "= "nwiz.exe /installquiet /keeploaded /nodetect "
    "AGRSMMSG "= "AGRSMMSG.exe "
    "KBD "= "C:\\HP\\KBD\\KBD.EXE "
    "TkBellExe "= "\ "C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot "
    "iTunesHelper "= "C:\\Program Files\\iTunes\\iTunesHelper.exe "
    "Recguard "= "C:\\WINDOWS\\SMINST\\RECGUARD.EXE "
    "ccApp "= "\ "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\" "
    "PS2 "= "C:\\WINDOWS\\system32\\ps2.exe "
    "LSBWatcher "= "c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe "
    "Reminder "= "\ "C:\\Windows\\Creator\\Remind_XP.exe\" "
    "Symantec NetDriver Monitor "= "C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer "
    "SoundMan "= "SOUNDMAN.EXE "
    "AlcWzrd "= "ALCWZRD.EXE "
    "Alcmtr "= "ALCMTR.EXE "
    "dvd43 "= "C:\\Program Files\\dvd43\\dvd43_tray.exe "
    "QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
    "BigPondCable "= "\ "C:\\Program Files\\Telstra\\Cable Login\\bpcable.exe\" /r "
    "atwtusb "= "atwtusb.exe beta "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed "= "1 "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed "= "1 "
    "NoChange "= "1 "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed "= "1 "

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
    "DeskHtmlVersion "=dword:00000110
    "DeskHtmlMinorVersion "=dword:00000005
    "Settings "=dword:00000001
    "GeneralFlags "=dword:00000001

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    "Source "= "About:Home "
    "SubscribedURL "= "About:Home "
    "FriendlyName "= "My Current Home Page "
    "Flags "=dword:00000002
    "Position "=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
    00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
    "CurrentState "=hex:04,00,00,40
    "OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
    ff,ff,04,00,00,00
    "RestoredStateInfo "=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
    00,00,01,00,00,00

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
    "{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun "=dword:00000091

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "dontdisplaylastusername "=dword:00000000
    "legalnoticecaption "=" "
    "legalnoticetext "=" "
    "shutdownwithoutlogon "=dword:00000001
    "undockwithoutlogon "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoCDBurning "=dword:00000000

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun "=dword:00000091

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun "=dword:00000091

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
    "CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
    "WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
    "SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "
    "UPnPMonitor "= "{e57ce738-33e8-4c51-8354-bb4de9d215d1} "

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrnt32

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "



    ~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

    backup-20061018-184318-188
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    backup-20061018-184318-540
    O4 - HKLM\..\Run: [uhvjsul.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\uhvjsul.dll,mrpmvyf
    backup-20061018-184318-803
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    backup-20061018-184318-387
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    backup-20061018-184318-327
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    backup-20061018-184318-295
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    backup-20061018-184318-598
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    backup-20061018-184318-690
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    backup-20061018-184318-515
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    backup-20061018-184318-505
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=presario&pf=desktop

    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\Symantec NetDetect.job

    Completion time: 06-10-20 18:38:09.71
    C:\ComboFix.txt ... 06-10-20 18:38



    And finally the new HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 6:44:59 PM, on 20/10/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Norton Internet Security\ISSVC.exe
    c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\dvd43\dvd43_tray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\atwtusb.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\TBLMOUSE.EXE
    C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HJT\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\vhgtwevn.dll (file missing)
    O2 - BHO: (no name) - {278B661A-14A8-D8B0-6AF4-03088B866149} - C:\WINDOWS\system32\unaoakg.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {B6161902-7306-46E5-BEA2-64D01BE8C075} - C:\WINDOWS\system32\ddcca.dll (file missing)
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe "
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
    O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
    O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash Hunter\save.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash Hunter\save.htm (file missing) (HKCU)
    O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash Hunter\save.htm (file missing) (HKCU)
    O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\FLASHD~1\iebt.dll (HKCU)
    O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\FLASHD~1\iebt.dll (HKCU)
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-30.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: winrnt32 - winrnt32.dll (file missing)
    O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
    Alex W,
    #8
  10. 2006/10/20
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Ok, looking much better. Lets continue with removal and fixing.


    1) Please download the Killbox.
    Save it to the desktop and run it.

    2) Select "Delete on Reboot ", and then select "All files ".

    3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
    C:\WINDOWS\system32\cool.exe
    C:\WINDOWS\b.exe
    C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
    C:\WINDOWS\iun6002.exe
    C:\Program Files\2DH7F70P.bat
    C:\Program Files\swfscanner
    C:\WINDOWS\system32\vhgtwevn.dll
    C:\WINDOWS\system32\unaoakg.dll
    C:\WINDOWS\system32\ddcca.dll
    C:\WINDOWS\system32\ps2.exe
    winrnt32.dll

    4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard ".

    5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

    Do not reboot yet.

    Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.


    O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\vhgtwevn.dll (file missing)

    O2 - BHO: (no name) - {278B661A-14A8-D8B0-6AF4-03088B866149} - C:\WINDOWS\system32\unaoakg.dll (file missing)

    O2 - BHO: (no name) - {B6161902-7306-46E5-BEA2-64D01BE8C075} - C:\WINDOWS\system32\ddcca.dll (file missing)


    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe


    O20 - Winlogon Notify: winrnt32 - winrnt32.dll (file missing)

    Reboot and run ComboFix first, then HJT and post both logs back into this thread.
     
    TeMerc,
    #9
  11. 2006/10/26
    Alex W

    Alex W Inactive Thread Starter

    Joined:
    2006/08/14
    Messages:
    53
    Likes Received:
    0
    Here is the latest combofix log

    Compaq_Owner - 06-10-27 2:17:17.43 Service Pack 2
    ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Compaq_Owner\Desktop "

    ((((((((((((((((((((((((((((((( Files Created from 2006-09-27 to 2006-10-27 ))))))))))))))))))))))))))))))))))


    2006-10-12 20:57 77,824 --a------ C:\WINDOWS\system32\wintab32.dll
    2006-10-11 23:55 917,504 --a------ C:\WINDOWS\system32\TblRes.dll
    2006-10-11 23:55 73,728 --a------ C:\WINDOWS\RmTablet.exe
    2006-10-11 23:55 61,440 --a------ C:\WINDOWS\system32\tblmouse.exe
    2006-10-11 23:55 57,344 --a------ C:\WINDOWS\system32\Tblfunc.dll
    2006-10-11 23:55 57,344 --a------ C:\WINDOWS\system32\Funckey.dll
    2006-10-11 23:55 188,416 --a------ C:\WINDOWS\system32\atwtusb.exe


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2006-10-27 02:09 -------- d-------- C:\Program Files\Common Files
    2006-10-27 01:58 -------- d-------- C:\Program Files\Mozilla Firefox
    2006-10-25 07:33 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Adobe
    2006-10-24 21:41 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Opera
    2006-10-24 18:30 -------- d-------- C:\Program Files\Adobe
    2006-10-24 18:28 -------- d-------- C:\Program Files\Common Files\Adobe
    2006-10-24 18:23 -------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
    2006-10-21 23:37 -------- d-------- C:\Program Files\Java
    2006-10-19 21:45 -------- d-------- C:\Program Files\Windows Media Player
    2006-10-19 21:44 -------- d-------- C:\Program Files\QuickTime
    2006-10-19 21:43 -------- d-------- C:\Program Files\Norton Internet Security
    2006-10-19 21:42 -------- d-------- C:\Program Files\MSN Messenger
    2006-10-19 21:41 -------- d-------- C:\Program Files\Messenger Plus! Live
    2006-10-19 21:38 -------- d-------- C:\Program Files\iTunes
    2006-10-19 21:37 -------- d-------- C:\Program Files\Internet Explorer
    2006-10-19 21:36 -------- d-------- C:\Program Files\dvd43
    2006-10-19 21:35 -------- d-a------ C:\Program Files\Common Files\LightScribe
    2006-10-19 21:35 -------- d-------- C:\Program Files\Common Files\Symantec Shared
    2006-10-18 14:59 -------- d-------- C:\Program Files\BlueVoda Website Builder
    2006-10-16 10:54 -------- d-------- C:\Program Files\Macromedia
    2006-10-13 04:04 -------- d--h----- C:\Program Files\InstallShield Installation Information
    2006-10-13 04:01 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Macromedia
    2006-10-11 23:28 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\AdobeUM
    2006-10-11 21:49 -------- d-------- C:\Program Files\StreetFighter Flash
    2006-10-11 21:49 -------- d-------- C:\Program Files\Google
    2006-10-11 21:46 -------- d-------- C:\Program Files\swfscanner
    2006-09-24 10:41 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla
    2006-09-23 21:36 -------- d-------- C:\Program Files\Liatro
    2006-09-23 19:41 -------- d-------- C:\Program Files\CoffeeCup Software
    2006-09-23 08:59 0 --a------ C:\WINDOWS\system32\taskkill.exe
    2006-09-21 22:55 11973 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
    2006-09-21 22:45 -------- d-------- C:\Program Files\Activision
    2006-09-21 22:42 223128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
    2006-09-21 22:39 96256 --a------ C:\WINDOWS\system32\drivers\sptd1485.sys
    2006-09-21 22:39 643072 --a------ C:\WINDOWS\system32\drivers\sptd.sys
    2006-09-13 15:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
    2006-09-06 03:35 -------- d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Ulead Systems
    2006-08-26 01:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
    2006-08-21 22:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
    2006-08-21 19:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
    2006-08-16 21:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
    2006-07-29 19:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
    2006-07-27 23:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "MsnMsgr "= "\ "C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background "
    "BitTorrent "= "\ "C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized "
    "updateMgr "= "C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_0 "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "IMJPMIG8.1 "= "\ "C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32 "
    "MSPY2002 "= "C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC "
    "PHIME2002ASync "= "C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC "
    "PHIME2002A "= "C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName "
    "SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe "
    "hpsysdrv "= "c:\\windows\\system\\hpsysdrv.exe "
    "High Definition Audio Property Page Shortcut "= "HDAudPropShortcut.exe "
    "NvCplDaemon "= "RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup "
    "nwiz "= "nwiz.exe /installquiet /keeploaded /nodetect "
    "AGRSMMSG "= "AGRSMMSG.exe "
    "KBD "= "C:\\HP\\KBD\\KBD.EXE "
    "TkBellExe "= "\ "C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot "
    "iTunesHelper "= "C:\\Program Files\\iTunes\\iTunesHelper.exe "
    "Recguard "= "C:\\WINDOWS\\SMINST\\RECGUARD.EXE "
    "ccApp "= "\ "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\" "
    "LSBWatcher "= "c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe "
    "Reminder "= "\ "C:\\Windows\\Creator\\Remind_XP.exe\" "
    "Symantec NetDriver Monitor "= "C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer "
    "SoundMan "= "SOUNDMAN.EXE "
    "AlcWzrd "= "ALCWZRD.EXE "
    "Alcmtr "= "ALCMTR.EXE "
    "dvd43 "= "C:\\Program Files\\dvd43\\dvd43_tray.exe "
    "QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
    "BigPondCable "= "\ "C:\\Program Files\\Telstra\\Cable Login\\bpcable.exe\" /r "
    "atwtusb "= "atwtusb.exe beta "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed "= "1 "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed "= "1 "
    "NoChange "= "1 "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed "= "1 "

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
    "DeskHtmlVersion "=dword:00000110
    "DeskHtmlMinorVersion "=dword:00000005
    "Settings "=dword:00000001
    "GeneralFlags "=dword:00000001

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    "Source "= "About:Home "
    "SubscribedURL "= "About:Home "
    "FriendlyName "= "My Current Home Page "
    "Flags "=dword:00000002
    "Position "=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
    00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
    "CurrentState "=hex:04,00,00,40
    "OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
    ff,ff,04,00,00,00
    "RestoredStateInfo "=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
    00,00,01,00,00,00

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
    "{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun "=dword:00000091

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "dontdisplaylastusername "=dword:00000000
    "legalnoticecaption "=" "
    "legalnoticetext "=" "
    "shutdownwithoutlogon "=dword:00000001
    "undockwithoutlogon "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoCDBurning "=dword:00000000

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun "=dword:00000091

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun "=dword:00000091

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
    "CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
    "WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
    "SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "
    "UPnPMonitor "= "{e57ce738-33e8-4c51-8354-bb4de9d215d1} "

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "


    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\Symantec NetDetect.job

    Completion time: 06-10-27 2:18:00.60
    C:\ComboFix.txt ... 06-10-27 02:18
    C:\ComboFix2.txt ... 06-10-20 18:38


    And here is the latest hijack this log:

    Logfile of HijackThis v1.99.1
    Scan saved at 2:22:56 AM, on 27/10/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Norton Internet Security\ISSVC.exe
    c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\Program Files\dvd43\dvd43_tray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\atwtusb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HJT\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe "
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
    O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
    O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash Hunter\save.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash Hunter\save.htm (file missing) (HKCU)
    O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash Hunter\save.htm (file missing) (HKCU)
    O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\FLASHD~1\iebt.dll (HKCU)
    O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\FLASHD~1\iebt.dll (HKCU)
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-30.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    Thanks again! :) The problem seems to have completely stopped
     
    Alex W,
    #10
  12. 2006/10/26
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Ok, very well, all logs appear clear and you're reporting all symptoms have gone. Nice work.

    We have 3 more things to do, to help ensure you have removed all the little 'leftovers' which may be hiding:

    Empty the TIF (Temporary Internet Files)
    Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
    The app below will help with temp files.
    Index.dat Suite

    Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

    This would also be a good time to set a new system restore point for your machine.
    Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

    Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion.

    Here is a link which describes how security apps work with WIN XP machines.
    XP User Accts Security Apps Operation

    To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

    SpywareBlaster
    With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

    To avoid known malware infested sites from loading in IE install IESPY ADS.
    And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

    And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.5.

    Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

    Links for tutorials for all the apps I mentioned can be found on my site as well.

    Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

    And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
    Calendar of Updates

    Subscribe to update alerts for all the above security apps here.

    You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
    TeMerc Test Box Forum

    Happy surfing!!
    Tom :D
     
    TeMerc,
    #11
  13. 2006/11/02
    Alex W

    Alex W Inactive Thread Starter

    Joined:
    2006/08/14
    Messages:
    53
    Likes Received:
    0
    Thanks very much for all your help.

    You're a champion :)
     
    Alex W,
    #12
  14. 2006/11/02
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Glad we could be of assistance.

    Due to resolution this topic is closed.

    If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.
     
    TeMerc,
    #13
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...