1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Bloodhound.SONAR.1 & Trojan Horses - [HJT Log included]

Discussion in 'Malware and Virus Removal Archive' started by ginsta, 2008/08/23.

  1. 2008/08/23
    ginsta

    ginsta Inactive Thread Starter

    Joined:
    2008/08/23
    Messages:
    11
    Likes Received:
    0
    [Resolved] Bloodhound.SONAR.1 & Trojan Horses - [HJT Log included]

    Hi all, I found this board through a google search on Bloodhound.SONAR.1 and saw that you had resolved a few other cases similar to mine so I figured I'd give it a shot since I have no idea how to get rid of this problem.

    Like this case which was able to be resolved: [Resolved] bloodhound.sonar.1, I have been getting pop ups on my Internet Explorer, even though I only use Firefox now. I also will randomly hear audio clips that sound like they're ads, such as "Congratulations, you just won an IPOD," although there will be no correlating pop up. On top of that, my computer has also since been running abnormally slow.

    My Symantec Endpoint Protection scans have reported/quarantined several Trojan Horses (a lot of these: w17b22Mt.dll, among other file names), most of which have the same file name and keep showing up, even after being supposedly removed. And the questionable file that is the Bloodhound.SONAR.1 (7ei8xbm1.exe) also keeps coming back after being supposedly quarantined or removed. These viruses are mostly showing up in my System 32 folder, as well as Temp folder, but also in a few other random places.

    I'm currently running Windows XP Home Edition, Version 2002 and I've been regularly running scans with Symantec Endpoint Protection, as well as with Ad-Aware 2008, both of which continue to find a lot of trojans/bloodhound.SONAR.1 and spyware.

    Also, I'm not sure if these are effects of the viruses but both my Symantec & Ad-Aware programs have started to act a little wonky, in that they'll randomly say that their virus definitions are not on my computer anymore or they'll just crash, all together. Luckily, I've been able to get them to work again but they're still acting up.

    If anyone can please help me clean this out, I'd really appreciate it!

    Here's my HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:08:51 PM, on 8/23/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Smc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Symantec AntiVirus\SmcGui.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
    c:\program files\internet explorer\iexplore.exe
    C:\WINDOWS\system32\7EI8XBm1.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O1 - Hosts: 85.17.40.71 oink.me.uk
    O1 - Hosts: 85.17.40.69 tracker.oink.me.uk
    O1 - Hosts: 85.17.40.70 irc.oink.me.uk
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe "
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\UTorrent\utorrent.exe "
    O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe "
    O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\UTorrent\utorrent.exe "
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
    O4 - Startup: NaturalColorLoad.lnk = ?
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: NaturalColorLoad.lnk = ?
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178227824718
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178227804078
    O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://vram9c.vcu.edu/dwa7W.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5364/mcfscan.cab
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
    O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE
    O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 9445 bytes
     
    ginsta,
    #1
  2. 2008/08/24
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Welcome to WindowsBBS ginsta :)

    Download ComboFix by sUBs from here, saving the file to your desktop.

    Important! ComboFix.exe must be on your desktop!


    Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

    • Close all open programs and windows
    • Click Start>Run and type or paste the following command.

      "%userprofile%\desktop\combofix.exe" /skipfix

    • ComboFix will run ..... follow the prompts.
    • It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
     
    noahdfear,
    #2


  3. to hide this advert.

  4. 2008/08/24
    ginsta

    ginsta Inactive Thread Starter

    Joined:
    2008/08/23
    Messages:
    11
    Likes Received:
    0
    Hi Noah,

    Thanks so much for the prompt reply & help.

    Here's my ComboFix log:

    ComboFix 08-08-23.03 - Virginia 2008-08-24 16:58:03.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.154 [GMT -4:00]
    Running from: C:\Documents and Settings\Virginia.ZEPHYR\desktop\combofix.exe
    Command switches used :: /skipfix
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    - REDUCED FUNCTIONALITY MODE -
    .

    ((((((((((((((((((((((((( Files Created from 2008-07-24 to 2008-08-24 )))))))))))))))))))))))))))))))
    .

    2008-08-23 13:27 . 2008-08-23 21:29 82,434 --a------ C:\WINDOWS\system32\7EI8XBm1.exe
    2008-08-23 11:37 . 2008-08-23 11:37 <DIR> d-------- C:\Program Files\Trend Micro
    2008-08-20 22:41 . 2008-08-20 22:41 <DIR> d-------- C:\Program Files\Lavasoft
    2008-08-20 22:41 . 2008-08-20 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-08-20 22:38 . 2008-08-20 22:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-08-20 17:48 . 2008-08-20 17:48 0 --a------ C:\WINDOWS\system32\7EI8XBm1.exe.a_a
    2008-08-20 17:42 . 2008-08-22 09:33 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2008-08-20 17:42 . 2008-08-22 09:33 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
    2008-08-20 17:42 . 2008-08-22 09:33 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
    2008-08-20 17:42 . 2008-08-22 09:33 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
    2008-08-20 17:40 . 2007-03-21 20:39 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DL1
    2008-08-20 17:40 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DL1
    2008-08-20 17:04 . 2008-08-20 17:04 <DIR> d-------- C:\WINDOWS\McAfee.com
    2008-08-19 02:08 . 2008-08-19 02:07 29,760 --a------ C:\WINDOWS\system32\Mf3I17rt.exe
    2008-08-19 02:08 . 2008-08-19 02:08 0 --a------ C:\WINDOWS\system32\Mf3I17rt.exe.a_a

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-23 16:42 --------- d-----w C:\Documents and Settings\Virginia.ZEPHYR\Application Data\uTorrent
    2008-08-22 13:33 --------- d-----w C:\Program Files\Symantec
    2008-08-22 03:46 --------- d-----w C:\Program Files\UTorrent
    2008-08-20 21:57 --------- d-----w C:\Program Files\Symantec AntiVirus
    2008-08-20 21:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-08-20 21:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2008-05-13 14:50 30,360 ----a-w C:\Documents and Settings\Virginia.ZEPHYR\Application Data\GDIPFONTCACHEV1.DAT
    2007-02-16 22:13 0 -c--a-w C:\Documents and Settings\Virginia.ZEPHYR\Application Data\Install.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "µTorrent "= "C:\Program Files\UTorrent\utorrent.exe" [2008-01-31 00:30 219952]
    "DAEMON Tools Pro Agent "= "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-17 04:52 136136]
    "uTorrent "= "C:\Program Files\UTorrent\utorrent.exe" [2008-01-31 00:30 219952]
    "updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 04:23 75520]
    "NeroFilterCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 15:40 155648]
    "QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
    "iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
    "OpwareSE2 "= "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 11:00 49152]
    "ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-08-18 10:02 115560]
    "SoundMan "= "SOUNDMAN.EXE" [2003-02-10 23:59 47104 C:\WINDOWS\SOUNDMAN.EXE]
    "BluetoothAuthenticationAgent "= "irprops.cpl" [2004-08-04 03:56 380416 C:\WINDOWS\system32\irprops.cpl]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ALUAlert "= "C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2007-08-11 20:05 492912]

    C:\Documents and Settings\Virginia.ZEPHYR\Start Menu\Programs\Startup\
    NaturalColorLoad.lnk - C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [2006-05-10 21:07:59 155715]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-05-10 21:40:59 25214]
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
    NaturalColorLoad.lnk - C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [2006-05-10 21:07:59 155715]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.ffds "= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
    "vidc.wmv3 "= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
    @= "Service "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
    --a--c--- 2004-12-14 02:12 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "C:\\Program Files\\UTorrent\\utorrent.exe "=
    "C:\\Program Files\\Last.fm\\LastFM.exe "=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "C:\\Program Files\\iTunes\\iTunes.exe "=
    "C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe "=
    "C:\\Program Files\\AIM\\aim.exe "=
    "C:\\WINDOWS\\system32\\dpvsetup.exe "=
    "C:\\WINDOWS\\system32\\rundll32.exe "=
    "C:\\Program Files\\LimeWire\\LimeWire.exe "=
    "C:\\Program Files\\Messenger\\msmsgs.exe "=
    "C:\\Program Files\\Symantec AntiVirus\\Smc.exe "=
    "C:\\Program Files\\Symantec AntiVirus\\SNAC.EXE "=
    "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe "=

    R1 vcdrom;Virtual CD-ROM Device Driver;C:\WINDOWS\system32\drivers\VCdRom.sys [2001-12-19 11:45]
    R3 WMP11V27;Instant Wireless PCI Card V2.7 Driver;C:\WINDOWS\system32\DRIVERS\WMP11V27.sys [2002-07-30 05:22]
    S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 17:05]
    S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-08-18 10:02]
    S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 17:05]
    .
    Contents of the 'Scheduled Tasks' folder

    2008-08-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
    .
    - - - - ORPHANS REMOVED - - - -

    Notify-NavLogon - (no file)
    Notify-WgaLogon - (no file)


    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\Virginia.ZEPHYR\Application Data\Mozilla\Firefox\Profiles\6rbi32nk.default\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-24 17:06:43
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\tsd32.dll
    .
    Completion time: 2008-08-24 17:31:02
    ComboFix-quarantined-files.txt 2008-08-24 21:29:28

    Pre-Run: 4,419,919,872 bytes free
    Post-Run: 5,471,690,752 bytes free

    138 --- E O F --- 2008-08-18 07:07:42


    And here's my new HJT log:

    Btw, C:\WINDOWS\system32\7EI8XBm1.exe was running but I had ended it right before I created my HJT log, just so you know, in case that makes a difference as to why it's not listed in the HJT log.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:34:19 PM, on 8/24/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Smc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Symantec AntiVirus\SmcGui.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O1 - Hosts: 85.17.40.71 oink.me.uk
    O1 - Hosts: 85.17.40.69 tracker.oink.me.uk
    O1 - Hosts: 85.17.40.70 irc.oink.me.uk
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe "
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\UTorrent\utorrent.exe "
    O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe "
    O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\UTorrent\utorrent.exe "
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
    O4 - Startup: NaturalColorLoad.lnk = ?
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: NaturalColorLoad.lnk = ?
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178227824718
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178227804078
    O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://vram9c.vcu.edu/dwa7W.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5364/mcfscan.cab
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
    O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE
    O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 9597 bytes
     
    ginsta,
    #3
  5. 2008/08/24
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Code:
    Extra::
File::
C:\WINDOWS\system32\7EI8XBm1.exe
C:\WINDOWS\system32\7EI8XBm1.exe.a_a
C:\WINDOWS\system32\Mf3I17rt.exe
C:\WINDOWS\system32\Mf3I17rt.exe.a_a
    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.


    Once you've posted the log, please download RegSearch.zip and extract the contents of the zip file to it's own folder.
    Open the folder and double-click the icon for RegSearch.exe to launch the program.
    Enter 7EI8XBm1.exe on the top line, Mf3I17rt.exe on the next line and click OK. After completion, notepad will be opened with all the found instances, if any. Please post that log here.
     
    noahdfear,
    #4
  6. 2008/08/24
    ginsta

    ginsta Inactive Thread Starter

    Joined:
    2008/08/23
    Messages:
    11
    Likes Received:
    0
    I did as you asked. Here's the new ComboFix log:

    ComboFix 08-08-23.03 - Virginia 2008-08-24 18:32:16.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.153 [GMT -4:00]
    Running from: C:\Documents and Settings\Virginia.ZEPHYR\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Virginia.ZEPHYR\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\WINDOWS\system32\7EI8XBm1.exe
    C:\WINDOWS\system32\7EI8XBm1.exe.a_a
    C:\WINDOWS\system32\Mf3I17rt.exe
    C:\WINDOWS\system32\Mf3I17rt.exe.a_a
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\#SharedObjects\GJVKCQWZ\interclick.com
    C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\#SharedObjects\GJVKCQWZ\interclick.com\ud.sol
    C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\#SharedObjects\NTNJW6GS\interclick.com
    C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\#SharedObjects\NTNJW6GS\interclick.com\ud.sol
    C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
    C:\Documents and Settings\NetworkService\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
    C:\Documents and Settings\Virginia.ZEPHYR\Application Data\install.dat
    C:\Documents and Settings\Virginia.ZEPHYR\Application Data\macromedia\Flash Player\#SharedObjects\3RL5HMSJ\interclick.com
    C:\Documents and Settings\Virginia.ZEPHYR\Application Data\macromedia\Flash Player\#SharedObjects\3RL5HMSJ\interclick.com\ud.sol
    C:\Documents and Settings\Virginia.ZEPHYR\Application Data\macromedia\Flash Player\#SharedObjects\3RL5HMSJ\static.youku.com
    C:\Documents and Settings\Virginia.ZEPHYR\Application Data\macromedia\Flash Player\#SharedObjects\3RL5HMSJ\static.youku.com\v\swf\qplayer.swf\youku.sol
    C:\Documents and Settings\Virginia.ZEPHYR\Application Data\macromedia\Flash Player\#SharedObjects\3RL5HMSJ\www.broadcaster.com
    C:\Documents and Settings\Virginia.ZEPHYR\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
    C:\Documents and Settings\Virginia.ZEPHYR\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
    C:\Documents and Settings\Virginia.ZEPHYR\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com
    C:\Documents and Settings\Virginia.ZEPHYR\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol
    C:\Documents and Settings\Virginia.ZEPHYR\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
    C:\Documents and Settings\Virginia.ZEPHYR\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
    C:\Documents and Settings\Virginia.ZEPHYR\Cookies\virginia@spamblockerutility[2].txt
    C:\Documents and Settings\Virginia.ZEPHYR\Cookies\virginia@trafficmp[1].txt
    C:\WINDOWS\system32\7EI8XBm1.exe
    C:\WINDOWS\system32\7EI8XBm1.exe.a_a
    C:\WINDOWS\system32\Mf3I17rt.exe
    C:\WINDOWS\system32\Mf3I17rt.exe.a_a

    .
    ((((((((((((((((((((((((( Files Created from 2008-07-24 to 2008-08-24 )))))))))))))))))))))))))))))))
    .

    2008-08-23 11:37 . 2008-08-23 11:37 <DIR> d-------- C:\Program Files\Trend Micro
    2008-08-20 22:41 . 2008-08-20 22:41 <DIR> d-------- C:\Program Files\Lavasoft
    2008-08-20 22:41 . 2008-08-20 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-08-20 22:38 . 2008-08-20 22:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-08-20 17:42 . 2008-08-22 09:33 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2008-08-20 17:42 . 2008-08-22 09:33 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
    2008-08-20 17:42 . 2008-08-22 09:33 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
    2008-08-20 17:42 . 2008-08-22 09:33 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
    2008-08-20 17:40 . 2007-03-21 20:39 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DL1
    2008-08-20 17:40 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DL1
    2008-08-20 17:04 . 2008-08-20 17:04 <DIR> d-------- C:\WINDOWS\McAfee.com

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-23 16:42 --------- d-----w C:\Documents and Settings\Virginia.ZEPHYR\Application Data\uTorrent
    2008-08-22 13:33 --------- d-----w C:\Program Files\Symantec
    2008-08-22 03:46 --------- d-----w C:\Program Files\UTorrent
    2008-08-20 21:57 --------- d-----w C:\Program Files\Symantec AntiVirus
    2008-08-20 21:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-08-20 21:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
    2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
    2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
    2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
    2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
    2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
    2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
    2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
    2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
    2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
    2008-05-13 14:50 30,360 ----a-w C:\Documents and Settings\Virginia.ZEPHYR\Application Data\GDIPFONTCACHEV1.DAT
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "µTorrent "= "C:\Program Files\UTorrent\utorrent.exe" [2008-01-31 00:30 219952]
    "DAEMON Tools Pro Agent "= "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-17 04:52 136136]
    "uTorrent "= "C:\Program Files\UTorrent\utorrent.exe" [2008-01-31 00:30 219952]
    "updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 04:23 75520]
    "NeroFilterCheck "= "C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 15:40 155648]
    "QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
    "iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
    "OpwareSE2 "= "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 11:00 49152]
    "ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-08-18 10:02 115560]
    "SoundMan "= "SOUNDMAN.EXE" [2003-02-10 23:59 47104 C:\WINDOWS\SOUNDMAN.EXE]
    "BluetoothAuthenticationAgent "= "irprops.cpl" [2004-08-04 03:56 380416 C:\WINDOWS\system32\irprops.cpl]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ALUAlert "= "C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2007-08-11 20:05 492912]

    C:\Documents and Settings\Virginia.ZEPHYR\Start Menu\Programs\Startup\
    NaturalColorLoad.lnk - C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [2006-05-10 21:07:59 155715]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-05-10 21:40:59 25214]
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
    NaturalColorLoad.lnk - C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [2006-05-10 21:07:59 155715]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.ffds "= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
    "vidc.wmv3 "= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
    @= "Service "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
    --a--c--- 2004-12-14 02:12 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "C:\\Program Files\\UTorrent\\utorrent.exe "=
    "C:\\Program Files\\Last.fm\\LastFM.exe "=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "C:\\Program Files\\iTunes\\iTunes.exe "=
    "C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe "=
    "C:\\Program Files\\AIM\\aim.exe "=
    "C:\\WINDOWS\\system32\\dpvsetup.exe "=
    "C:\\Program Files\\LimeWire\\LimeWire.exe "=
    "C:\\Program Files\\Messenger\\msmsgs.exe "=
    "C:\\Program Files\\Symantec AntiVirus\\Smc.exe "=
    "C:\\Program Files\\Symantec AntiVirus\\SNAC.EXE "=
    "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe "=

    R1 vcdrom;Virtual CD-ROM Device Driver;C:\WINDOWS\system32\drivers\VCdRom.sys [2001-12-19 11:45]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
    R3 WMP11V27;Instant Wireless PCI Card V2.7 Driver;C:\WINDOWS\system32\DRIVERS\WMP11V27.sys [2002-07-30 05:22]
    S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 17:05]
    S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-08-18 10:02]
    S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 17:05]

    *Newly Created Service* - CATCHME
    *Newly Created Service* - PROCEXP90
    .
    Contents of the 'Scheduled Tasks' folder

    2008-08-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
    .
    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\Virginia.ZEPHYR\Application Data\Mozilla\Firefox\Profiles\6rbi32nk.default\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-24 18:38:40
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    C:\DOCUME~1\VIRGIN~1.ZEP\LOCALS~1\Temp\RGI439.tmp

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\tsd32.dll
    .
    Completion time: 2008-08-24 18:41:09
    ComboFix-quarantined-files.txt 2008-08-24 22:41:03
    ComboFix2.txt 2008-08-24 21:31:03

    Pre-Run: 5,436,305,408 bytes free
    Post-Run: 5,449,007,104 bytes free

    176 --- E O F --- 2008-08-18 07:07:42
     
    Last edited: 2008/08/24
    ginsta,
    #5
  7. 2008/08/24
    ginsta

    ginsta Inactive Thread Starter

    Joined:
    2008/08/23
    Messages:
    11
    Likes Received:
    0
    So, I did as you asked but the RegSearch program froze at a certain point and stopped responding. Even so, the log still popped up afterwards even after the program had stopped responding. So, I'm not sure if that affected anything. Hopefully not.

    Here's the RegSearch log:

    Windows Registry Editor Version 5.00

    ; Registry Search 2.0 by Bobbi Flekman © 2005
    ; Version: 2.0.5.0

    ; Results at 8/24/2008 7:07:54 PM for strings:
    ; '7ei8xbm1.exe'
    ; 'mf3i17rt.exe'
    ; Strings excluded from search:
    ; (None)
    ; Search in:
    ; Registry Keys Registry Values Registry Data
    ; HKEY_LOCAL_MACHINE HKEY_USERS


    [HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine\QRecords\267386880]
    "FName "= "c:\\windows\\system32\\7ei8xbm1.exe "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine\QRecords\273940480]
    "FName "= "c:\\windows\\system32\\7ei8xbm1.exe "

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
    "C:\\WINDOWS\\system32\\7EI8XBm1.exe "= "7EI8XBm1 "

    ; End Of The Log...
     
    ginsta,
    #6
  8. 2008/08/24
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Looks good. Lets see if there's anything else lurking about. Download ATF Cleaner by Atribune and save it to your Desktop.
    • Double click ATF-Cleaner.exe to run the program.
    • Check the boxes to the left of:

      • Windows Temp
      • Current User Temp
      • All Users Temp
      • Temporary Internet Files
      • Prefetch
      • Java Cache
      • Recycle bin

    • The rest are optional - if you want it to remove everything check "Select All ".
    • Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK
    • Recommend you also click the Firefox link on the menu and cleanup that profile as well.
    • Exit ATF Cleaner when complete.
    Reboot

    Now, do an online scan with Kaspersky Online Scanner

    Click Accept, when prompted to download and install the program files and database of malware definitions.
    • Click Run at the Security prompt.
    • The program will then begin downloading and installing and will also update the database.
    • Please be patient as this can take several minutes.
    • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Click View scan report at the bottom.
    • Click the Save Report As... button.
    • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
    **Note**

    To optimize scanning time and produce a more sensible report for review:
    • Close any open programs.
    • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
    Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


    Post the Kaspersky log and one more fresh HijackThis log.
     
    noahdfear,
    #7
  9. 2008/08/24
    ginsta

    ginsta Inactive Thread Starter

    Joined:
    2008/08/23
    Messages:
    11
    Likes Received:
    0
    Haven't done those steps yet but I just wanted to mention that I just realized that my sound isn't working now.

    I noticed my sound wasn't working so I opened up my Control Panel so that I could check on the Sound/Audio Devices but then a little Error window pops up saying:

    To enable the advanced sound effect for gaming, please make sure the setting of Harware Acceleration is "full ". The directory is as below: Control Panel -> Multimedia(Win98)/Sound & Multimedia(Win200, Me)/Sound & Audio Device(WinXP) -> Audio -> Playback/Advance...-> Performance -> Hardware Acceleration

    and there's a little "Ok" button, which I ignored and just kept [X]ing out of the window, which popped up again a few more times. Then when I checked my Sound & Audio Devices, it says there's "No Audio Device ". Not sure what's going on, if something was deleted or what.

    Will reply shortly with the Kaspersky log and fresh HJT log.
     
    ginsta,
    #8
  10. 2008/08/24
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    I guess I would question why you X'd it off instead of clicking OK :confused:

    We'll check the audio problem as well. Lets get the malware cleanup done first. ;)
     
    noahdfear,
    #9
  11. 2008/08/25
    ginsta

    ginsta Inactive Thread Starter

    Joined:
    2008/08/23
    Messages:
    11
    Likes Received:
    0
    Well, after awhile I did start clicking "Ok," however after rebooting, the little window message is no longer popping up and my sound seems to be working just fine again!

    Sorry for the crazy delay, when I tried to run Kaspersky, a little message saying "Starting Java Applet has failed! Please go online to use this program" would come up and then my computer would start to scan but my browser would close suddenly after a few minutes in.

    I ended up updating my Java to the most current version and was able to run Kaspersky, although the entire scan took like 8 hours.

    Here are the results of the Kaspersky Scanner:

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7 REPORT
    Monday, August 25, 2008
    Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
    Kaspersky Online Scanner 7 version: 7.0.25.0
    Program database last update: Monday, August 25, 2008 01:16:13
    Records in database: 1141788
    --------------------------------------------------------------------------------

    Scan settings:
    Scan using the following database: extended
    Scan archives: yes
    Scan mail databases: yes

    Scan area - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\

    Scan statistics:
    Files scanned: 104398
    Threat name: 4
    Infected objects: 68
    Suspicious objects: 0
    Duration of the scan: 08:15:23


    File name / Threat name / Threats count
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980000\48BCC543.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08980001\48BCE27E.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BFC0000\4BFF4D12.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BFC0001\4BFF6726.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BFC0002\4BFF8115.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BFC0003\4BFF9D26.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BFC0004\4BFFB9C3.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BFC0005\4BFFD5DB.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E540000\4EFEC9EE.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E540001\4EFECC60.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E540002\4EFECEF7.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E540003\4EFED1A1.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E540004\4EFED32F.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E540005\4EFED6CD.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E540006\4EFED8D3.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E540007\4EFEDA14.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E540008\4EFEDDC6.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E540009\4EFEE218.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E54000A\4EFEE42B.VBN Infected: Trojan-Downloader.Win32.Agent.aboo 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E54000B\4EFEE5D1.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E54000C\4EFEFBE0.VBN Infected: Trojan-Downloader.Win32.Agent.abrf 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\121C0000\5ABCAFDD.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C0000\5ABC4807.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C0001\5ABC4A77.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C0002\5ABC4D8F.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C0003\5ABC50C8.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C0004\5ABC518D.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C0005\5ABC518E.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C0006\5ABC518E.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C0007\5ABC518F.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C0008\5ABC518F.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C0009\5ABC5190.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C000A\5ABC5191.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C000B\5ABC5191.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C000C\5ABC5192.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C000D\5ABC5192.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C000E\5ABC5192.VBN Infected: Trojan-Downloader.Win32.Agent.aboo 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C000F\5ABC5193.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C0010\5ABC5194.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C0011\5ABC5194.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C0012\5ABC5195.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C0013\5ABC5195.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C0014\5ABC5196.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C0015\5ABC5196.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C0016\5ABC5197.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C0017\5ABC5197.VBN Infected: Trojan-Downloader.Win32.Agent.abrf 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C0018\5ABC5198.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C0019\5ABC5199.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C001A\5ABC5199.VBN Infected: Trojan-Downloader.Win32.Agent.aboo 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C001B\5ABC519A.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C001C\5ABC519A.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C001D\5ABC519B.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C001E\5ABC6569.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C001F\5ABC8170.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C0020\5ABC9D93.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\123C0021\5ABCB9DC.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17A00000\5FAEBDF9.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17BC0000\5FBD9251.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17BC0001\5FBDAC95.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17BC0002\5FBDC704.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17BC0003\5FBDE2BB.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17BC0004\5FBDFF00.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17BC0005\5FBE1B4D.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17BC0006\5FBE3773.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17BC0007\5FBE53CC.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17BC0008\5FBE6FFF.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\17BC0009\5FBE8C74.VBN Infected: Trojan-Downloader.Win32.BHO.pe 1
    C:\Documents and Settings\Virginia.ZEPHYR\My Documents\muzack morris\Nero 6.6.1.15\Nero-6.6.1.15.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm 1

    The selected area was scanned.
     
    ginsta,
    #10
  12. 2008/08/25
    ginsta

    ginsta Inactive Thread Starter

    Joined:
    2008/08/23
    Messages:
    11
    Likes Received:
    0
    And here's my new HJT log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:03:50 AM, on 8/25/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Smc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Symantec AntiVirus\SmcGui.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\UTorrent\utorrent.exe
    C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O1 - Hosts: 85.17.40.71 oink.me.uk
    O1 - Hosts: 85.17.40.69 tracker.oink.me.uk
    O1 - Hosts: 85.17.40.70 irc.oink.me.uk
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe "
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\UTorrent\utorrent.exe "
    O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe "
    O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\UTorrent\utorrent.exe "
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
    O4 - Startup: NaturalColorLoad.lnk = ?
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: NaturalColorLoad.lnk = ?
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178227824718
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178227804078
    O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://vram9c.vcu.edu/dwa7W.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5364/mcfscan.cab
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
    O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE
    O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 9302 bytes
     
    ginsta,
    #11
  13. 2008/08/26
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Great! Glad to hear you got Java updated too. You should go to Add/Remove programs and uninstall all old version as well. They are exploitable if left installed.

    Other than what Norton has in quarantine, only some embedded MyWebSearch junk in a Nero setup file ....... of no consequence in my opinion.

    Lets clean up. Open your Norton control panel and remove all quarantined items.

    Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing the infected files there as well. You can delete any logs that were created/saved too.


    Run ATF Cleaner once more as outlined above.

    That should wrap things up. How's the computer performing now?

    P2P - I see you have P2P software ([color= "Red"]uTorrent[/color]) installed on your machine. I'm not passing judgment on file-sharing as a concept. However, I will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. This page will give you further information.

    Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

    References for the risk of these programs are here,
    here and here.


    Additionally, these apps often run in the background when you start your computer (I see uTorrent running in your log), consuming cpu cycles and bandwidth.

    I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
     
    noahdfear,
    #12
  14. 2008/08/26
    ginsta

    ginsta Inactive Thread Starter

    Joined:
    2008/08/23
    Messages:
    11
    Likes Received:
    0
    Ok, had a minor issue w/ using that command for uninstalling ComboFix but I just run cmd and then cd desktop and did it from there and it was ok.

    Am running the ATF cleaner now...
     
    Last edited: 2008/08/26
    ginsta,
    #13
  15. 2008/08/26
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Use this command instead.

    "%userprofile%\desktop\combofix.exe" /u
     
    noahdfear,
    #14
  16. 2008/08/26
    ginsta

    ginsta Inactive Thread Starter

    Joined:
    2008/08/23
    Messages:
    11
    Likes Received:
    0
    Ok, I just ran ATF cleaner and cleaned out Firefox, as well.

    My computer seems to be working better than it was before.

    Should I do any other final scans just to make sure I'm completely clean?
     
    ginsta,
    #15
  17. 2008/08/26
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    I think you're good to go. :)
     
    noahdfear,
    #16
  18. 2008/08/26
    ginsta

    ginsta Inactive Thread Starter

    Joined:
    2008/08/23
    Messages:
    11
    Likes Received:
    0
    Great! Thanks, Noah! I really appreciate it.

    You can mark this thread as Resolved :D
     
    ginsta,
    #17
  19. 2008/08/26
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    You're very welcome. Glad I could help. :)
     
    noahdfear,
    #18

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...