Jump to content


Photo

Help with several problems ..


  • This topic is locked This topic is locked
20 replies to this topic

#1 symbiote28

symbiote28

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 12 June 2007 - 10:43 AM

hey all .. im new here and i wish i could get all the help needed .. my computer is forever giving me problems and it's time that i ask for guidance and help to fix my computer in any way possible .. one thing that's been bothering me is my internet connection .. i know it sounds strange but my internet will keep disconnecting every 1 hour and 2 minutes .. it's baffles me as to why this happens .. i'll have to disable my Local Area Connection under Network Connections and then re-enable it after every 1 hour and 2 minutes .. i hope it's not a hardware problem but rather an internal virus/malicious tool that is causing this limit .. i beg to anyone of you to help me and inform me of anything that isn't suppose to be on my computer .. thank you ..

below is the logfile of HijackThis

-------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:40:40 PM, on 6/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Download Manager\IDMan.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\WINDOWS\system32\sistray.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\system32\CTPdeSrv.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\uTorrent\utorrent.exe
C:\PROGRA~1\DrWeb\spidernt.exe
C:\Program Files\DrWeb\spiderml.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\achi.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Achitasin&MindMap
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\jrtib.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,tmallcg.exe
O1 - Hosts: 127.255.255.255 www.getright.com
O1 - Hosts: 127.255.255.255 pro.getright.com
O1 - Hosts: 127.255.255.255 www.headlightinc.com
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TESTBATBAGSLICENSE] C:\Documents and Settings\All Users\Application Data\FunkRealTestBat\nurb idle.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [spywareremover] C:\Documents and Settings\Home PC\Application Data\SpywareRemover\SpywareRemover.exe -boot
O4 - HKLM\..\Run: [SpIDerNT] C:\PROGRA~1\DrWeb\spidernt.exe /agent
O4 - HKLM\..\Run: [SpIDerMail] "C:\Program Files\DrWeb\spiderml.exe"
O4 - HKLM\..\Run: [MS32DLL] C:\WINDOWS\achi.dll.vbs
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [software intra] C:\DOCUME~1\HOMEPC~1\APPLIC~1\TRANSF~1\rulebindsurf.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24....es/MsnPUpld.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SpIDer Guard for Windows NT (spidernt) - Doctor Web, Ltd. - C:\PROGRA~1\DrWeb\SpiderNT.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Edited by symbiote28, 12 June 2007 - 08:20 PM.


#2 symbiote28

symbiote28

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 13 June 2007 - 07:55 AM

please anyone? :oops:

#3 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 15 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#4 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 19 June 2007 - 09:35 AM

Hi and welcome


Your system shows you are running Norton antivirus and DrWeb antivirus.
This causes system clashes and instabilty, and the possiblty of false reports with a huge waste of system resources. And in many cases it actually lowers your protection instead of adding.
You can keep both programs, but you must disable the real-time component of one AntiVirus, keeping it as an on-demand scanner, while the other AV will provide a real-time protection.
The alternative is to uninstall one AV and keep the other.
You make the call and if you need help uninstalling one please let me know.
Here are two articles where it is explained in detail.
Symantec
Microsoft




I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.





Do you have Netpumper or Bitgrabber or BitRoll installed? If so, uninstall them via Start -> Control Panel -> Software -> Add or Remove Programs.

Also, please check to see if the following are present in Add or Remove Programs and uninstall them if found:

CiD Manager
CiD Help
Download Plugin for Internet Explorer
Messenger Plus
Messenger Plus 2
Messenger Plus 3
Zone Media
Torrent101



If during uninstall, you are asked for uninstall Verification, please enter the numbers that will appear in the window.

Then reboot. <-- Important!



Please download NoLop to the Desktop
Link 1
Link 2

*Close any programs you have running since a reboot is required
*Double click NoLop.exe to run it
*Next, click the button labeled: Search and Destroy
<<your computer will now be scanned for infected files>>
*When the scan finishes, if infected, you are prompted to reboot
Click OK
Now click: REBOOT
A Message should popup from NoLop. If not, double click the program again and it will finish.
Please Post the contents of C:\NoLop.log along with a new HijackThis log

If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.






Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Clean out your Temporary Internet files. Proceed like this:
Quit Internet Explorer and quit any instances of Windows Explorer.
Click Start, click Control Panel, and then double click Internet Options.
On the General tab, click Delete files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK
Click OK


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.


Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the Programme and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.




In your next reply post:
C:\NoLop.log
Smitfruad-C:\rapport.txt
New HJT log
Comments on how your computer is running now
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#5 symbiote28

symbiote28

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 19 June 2007 - 10:45 PM

thanks for the reply .. i've been feeling my computer is abit faster now .. thank you .. here are the following logs u've asked for .. hope u can further improve my computer! thanks! and one more thing: i can't remove DrWeb for some reason .. i tried uninstalling it but i get a error message displaying all sorts of numbers and letters ..

C:\NoLop.log

NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Home PC\Desktop
[6/20/2007]
[11:05:56 AM]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\A7F61E2B91859B4F.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Avg7
C:\Documents and Settings\All Users\Application Data\Creative
C:\Documents and Settings\All Users\Application Data\Funkrealtestbat
C:\Documents and Settings\All Users\Application Data\Google
C:\Documents and Settings\All Users\Application Data\Grisoft
C:\Documents and Settings\All Users\Application Data\Installshield
C:\Documents and Settings\All Users\Application Data\Macromedia
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Popcap
C:\Documents and Settings\All Users\Application Data\Sbt
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Trymedia
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Home Pc\Application Data\123 Free Puzzle -- EMPTY Directory
C:\Documents and Settings\Home Pc\Application Data\Adobe
C:\Documents and Settings\Home Pc\Application Data\Albumart
C:\Documents and Settings\Home Pc\Application Data\Apple Computer
C:\Documents and Settings\Home Pc\Application Data\Avg7
C:\Documents and Settings\Home Pc\Application Data\Azureus
C:\Documents and Settings\Home Pc\Application Data\Bittorrent
C:\Documents and Settings\Home Pc\Application Data\Creative
C:\Documents and Settings\Home Pc\Application Data\Dmcache
C:\Documents and Settings\Home Pc\Application Data\Download Master
C:\Documents and Settings\Home Pc\Application Data\Getrighttogo
C:\Documents and Settings\Home Pc\Application Data\Google
C:\Documents and Settings\Home Pc\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Home Pc\Application Data\Identities
C:\Documents and Settings\Home Pc\Application Data\Idm
C:\Documents and Settings\Home Pc\Application Data\Intertrust
C:\Documents and Settings\Home Pc\Application Data\Jasc Software Inc
C:\Documents and Settings\Home Pc\Application Data\Lavasoft
C:\Documents and Settings\Home Pc\Application Data\Macromedia
C:\Documents and Settings\Home Pc\Application Data\Megauploadtoolbar
C:\Documents and Settings\Home Pc\Application Data\Microsoft
C:\Documents and Settings\Home Pc\Application Data\Microsoft Web Folders -- EMPTY Directory
C:\Documents and Settings\Home Pc\Application Data\Mozilla
C:\Documents and Settings\Home Pc\Application Data\Msninstaller
C:\Documents and Settings\Home Pc\Application Data\Opera
C:\Documents and Settings\Home Pc\Application Data\Orbit
C:\Documents and Settings\Home Pc\Application Data\Playfirst
C:\Documents and Settings\Home Pc\Application Data\Real
C:\Documents and Settings\Home Pc\Application Data\Share-to-web Upload Folder -- EMPTY Directory
C:\Documents and Settings\Home Pc\Application Data\Spywareremover
C:\Documents and Settings\Home Pc\Application Data\Sun
C:\Documents and Settings\Home Pc\Application Data\Symantec
C:\Documents and Settings\Home Pc\Application Data\Teleca
C:\Documents and Settings\Home Pc\Application Data\Transfork
C:\Documents and Settings\Home Pc\Application Data\Utorrent
C:\Documents and Settings\Home Pc\Application Data\Vlc
C:\Documents and Settings\Localservice\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Macromedia
C:\Documents and Settings\Localservice\Application Data\Megauploadtoolbar
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Symantec
C:\Documents and Settings\Networkservice\Application Data\Microsoft

----------------------------------------------------------------------------------------------------------------------------

Smitfruad-C:\rapport.txt

SmitFraudFix v2.195

Scan done at 11:26:00.68, Wed 06/20/2007
Run from C:\Documents and Settings\Home PC\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost
127.0.0.1 bin.errorprotector.com ## added by CiD
127.0.0.1 br.errorsafe.com ## added by CiD
127.0.0.1 br.winantivirus.com ## added by CiD
127.0.0.1 br.winfixer.com ## added by CiD
127.0.0.1 cdn.drivecleaner.com ## added by CiD
127.0.0.1 cdn.errorsafe.com ## added by CiD
127.0.0.1 cdn.winsoftware.com ## added by CiD
127.0.0.1 de.errorsafe.com ## added by CiD
127.0.0.1 de.winantivirus.com ## added by CiD
127.0.0.1 download.cdn.drivecleaner.com ## added by CiD
127.0.0.1 download.cdn.errorsafe.com ## added by CiD
127.0.0.1 download.cdn.winsoftware.com ## added by CiD
127.0.0.1 download.errorsafe.com ## added by CiD
127.0.0.1 download.systemdoctor.com ## added by CiD
127.0.0.1 download.winantispyware.com ## added by CiD
127.0.0.1 download.windrivecleaner.com ## added by CiD
127.0.0.1 download.winfixer.com ## added by CiD
127.0.0.1 drivecleaner.com ## added by CiD
127.0.0.1 dynamique.drivecleaner.com ## added by CiD
127.0.0.1 errorprotector.com ## added by CiD
127.0.0.1 errorsafe.com ## added by CiD
127.0.0.1 es.winantivirus.com ## added by CiD
127.0.0.1 fr.winantivirus.com ## added by CiD
127.0.0.1 fr.winfixer.com ## added by CiD
127.0.0.1 go.drivecleaner.com ## added by CiD
127.0.0.1 go.errorsafe.com ## added by CiD
127.0.0.1 go.winantispyware.com ## added by CiD
127.0.0.1 go.winantivirus.com ## added by CiD
127.0.0.1 hk.winantivirus.com ## added by CiD
127.0.0.1 instlog.errorsafe.com ## added by CiD
127.0.0.1 instlog.winantivirus.com ## added by CiD
127.0.0.1 instlog.winfixer.com ## added by CiD
127.0.0.1 jsp.drivecleaner.com ## added by CiD
127.0.0.1 kb.errorsafe.com ## added by CiD
127.0.0.1 kb.winantivirus.com ## added by CiD
127.0.0.1 nl.errorsafe.com ## added by CiD
127.0.0.1 se.errorsafe.com ## added by CiD
127.0.0.1 secure.drivecleaner.com ## added by CiD
127.0.0.1 secure.errorsafe.com ## added by CiD
127.0.0.1 secure.winantispam.com ## added by CiD
127.0.0.1 secure.winantispy.com ## added by CiD
127.0.0.1 secure.winantivirus.com ## added by CiD
127.0.0.1 support.winantivirus.com ## added by CiD
127.0.0.1 trial.updates.winsoftware.com ## added by CiD
127.0.0.1 ulog.winantivirus.com ## added by CiD
127.0.0.1 utils.errorsafe.com ## added by CiD
127.0.0.1 utils.winantivirus.com ## added by CiD
127.0.0.1 utils.winfixer.com ## added by CiD
127.0.0.1 winantispyware.com ## added by CiD
127.0.0.1 winantivirus.com ## added by CiD
127.0.0.1 winfixer.com ## added by CiD
127.0.0.1 winfixer2006.com ## added by CiD
127.0.0.1 winsoftware.com ## added by CiD
127.0.0.1 www.drivecleaner.com ## added by CiD
127.0.0.1 www.errorprotector.com ## added by CiD
127.0.0.1 www.errorsafe.com ## added by CiD
127.0.0.1 www.systemdoctor.com ## added by CiD
127.0.0.1 www.utils.winfixer.com ## added by CiD
127.0.0.1 www.win-anti-virus-pro.com ## added by CiD
127.0.0.1 www.win-virus-pro.com ## added by CiD
127.0.0.1 www.winantispam.com ## added by CiD
127.0.0.1 www.winantispy.com ## added by CiD
127.0.0.1 www.winantispyware.com ## added by CiD
127.0.0.1 www.winantivirus.com ## added by CiD
127.0.0.1 www.winantiviruspro.com ## added by CiD
127.0.0.1 www.windrivecleaner.com ## added by CiD
127.0.0.1 www.windrivesafe.com ## added by CiD
127.0.0.1 www.winfixer.com ## added by CiD
127.0.0.1 www.winfixer2006.com ## added by CiD
127.0.0.1 www.winsoftware.com ## added by CiD
127.255.255.255 www.getright.com
127.255.255.255 pro.getright.com
127.255.255.255 www.headlightinc.com

Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\Tasks\At?.job Deleted

DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F93BA93D-DF37-41EC-8920-55D0E5450D46}: DhcpNameServer=202.156.1.78 202.156.1.68 218.186.1.88
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F93BA93D-DF37-41EC-8920-55D0E5450D46}: DhcpNameServer=202.156.1.78 202.156.1.68 218.186.1.58
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F93BA93D-DF37-41EC-8920-55D0E5450D46}: DhcpNameServer=202.156.1.78 202.156.1.68 218.186.1.88
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F93BA93D-DF37-41EC-8920-55D0E5450D46}: DhcpNameServer=202.156.1.78 202.156.1.68 218.186.1.88
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=202.156.1.78 202.156.1.68 218.186.1.88
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=202.156.1.78 202.156.1.68 218.186.1.58
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=202.156.1.78 202.156.1.68 218.186.1.88
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=202.156.1.78 202.156.1.68 218.186.1.88


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning

Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

----------------------------------------------------------------------------------------------------------------------------

Latest HijackThis! Log

Logfile of HijackThis v1.99.1
Scan saved at 11:39:40 AM, on 6/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\CTPdeSrv.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Achitasin&MindMap
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,tmallcg.exe
O1 - Hosts: 127.255.255.255 www.getright.com
O1 - Hosts: 127.255.255.255 pro.getright.com
O1 - Hosts: 127.255.255.255 www.headlightinc.com
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\HOMEPC~1\LOCALS~1\Temp\{E4F04258-9F60-437E-A026-BF80A37B5CCB}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24....es/MsnPUpld.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccApp.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccApp.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Unknown owner - C:\Program Files\Norton Internet Security\isPwdSvc.exe (file missing)
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: Symantec AppCore Service (SymAppCore) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe (file missing)

#6 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 20 June 2007 - 09:12 AM

Welcome back

i've been feeling my computer is abit faster now .. thank you

Your very welcome but, we have more work to do here.

I see two Antivirus programs here....AVG7 and Symantec--Nortons.
This causes system clashes and instabilty, and the possiblty of false reports with a huge waste of system resources. And in many cases it actually reduces your protection instead of adding more.
You can keep both programs, but you must disable the real-time component of one AntiVirus, keeping it as an on-demand scanner, while the other AV will provide a real-time protection.
The alternative is to uninstall one AV and keep the other.

You make the call and if you need help uninstalling one please let me know.
Here are two articles where it is explained in detail.
Symantec
Microsoft



Please go to Start -> Control Panel -> Software -> Add or Remove Programs and remove any of the following that are listed:

Bitdownload
Bitgrabber
Bitroll
CiD Manager
CiD Help
Download Plugin for Internet Explorer
Messenger Plus!
Messenger Plus! 2
Messenger Plus! 3
Messenger Plus! Live
Messenger Plus! Live & Sponsor
Netpumper
Zone Media
WinZix


I see you have the MegaUpload Toolbar installed. I do NOT recommend this one since it has a questionnable reputation, so I rather want you to uninstall it.

If any of the above items were found, uninstall then reboot. If it will only uninstall a few at a time do as many as you can till all are done this is important.




Download the HostsXpert ...from Here and unzip it to your desktop.
Next, open the HostsXpert
  • Make sure that the "make hosts writable?" button in the upper right corner is checked
  • Now, click on 'back up Host files'
  • then click on 'Restore orginal host files'
  • Finally, close the hoster
Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,tmallcg.exe
O1 - Hosts: 127.255.255.255 www.getright.com
O1 - Hosts: 127.255.255.255 pro.getright.com
O1 - Hosts: 127.255.255.255 www.headlightinc.com
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\HOMEPC~1\LOCALS~1\Temp\{E4F04258-9F60-437E-A026-BF80A37B5CCB}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O9 - Extra button: (no name) - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - (no file)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab



Please download OTMoveIt by OldTimer:
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):

    C:\WINDOWS\system32\tmallcg.exe

  • Return to OTMoveIt, right-click on the "Paste List of Files/Folders to be Moved" window and choose "Paste".
  • Click the red "MoveIt!" button.
  • Close OTMoveIt.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

Please post the log from OTMoveIt, located here:

C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.





Download ComboFix from Here or Here
IMPORTANT !!! Place it on your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.



In your next reply post:
OTMoveIt log
ComboFix.txt
New HJT log

Comments on how your computer is running now


For the DrWeb issue, have you tried going into safe mode to uninstall?

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers

Try this next if safe mode does not work.

Please download Ccleaner and save it to your desktop.
Tutorial for CCleaner
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it, Do not run it yet.

From Safe Mode run Ccleaner

Click on: Run Cleaner
Click on: Tools
Select: Dr.Web
Click on: Delete Entry

Next, Click on Options,
Select Advanced
Now UNCHECK "Only delete files in Windows Temp folders older than 48 hours"
Make sure the Cleaner block on the left is selected.
Do not use the "Issues" block . It's meant for professionals.
Choose the Windows tab.
Check everything EXCEPT Advanced part of the Menu.
Click on "Analyze". This process could take a while.
If you don't want to loose your login passwords to certain sites, click on Options
Select cookies and move the ones you want to keep to the "cookies to keep" section, by highlighting and using the arrows in the middle.
Choose Run Cleaner.
When CCleaner shows how much has been removed, cleaning is finished. Click Exit.
If you have more than one users, run Ccleaner for every user.

NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure ..... http://kellys-korner...xp_whichcpu.exe

Edited by Juliet, 20 June 2007 - 09:59 AM.

Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#7 symbiote28

symbiote28

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 21 June 2007 - 06:45 AM

im currently stuck at the steps for the OTMoveIt. my computer gave me an error box saying that it cannot create file C:\_OTMoveIt\MovedFiles\06212007_194321.log and that the results indicate that File/Folder C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log not found. not found.

what should i do? :blush:

#8 ClaudeX

ClaudeX

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 21 June 2007 - 08:32 PM

I saw that you have this trojan invaded in your computer.Just been looking at this tell me so...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Achitasin&MindMap

That means everytime you log in to your internet explorer, it will refer this achitasin&MindMap as your homepage, even if u change your homepage to another website , after a while it will still return back to achitasin&MindMap. I think the risk of this trojan should be high...
Am i right?

#9 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 21 June 2007 - 09:05 PM

Welcome back symbiote28

For right now we'll continue.
If you had HJT fix those entries I indicated, do this next

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.


Using windows explorer search for and delete this file in bold

C:\WINDOWS\system32\tmallcg.exe


Then continue with the rest of the instructions and post the logs please.

In your next reply post:
ComboFix.txt
New HJT log

Comments on how your computer is running now



Note to Claude, if your having a problem with spyware or malware I must ask that you start your own thread. thank you
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#10 ClaudeX

ClaudeX

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 21 June 2007 - 10:31 PM

i'm just happen to see his log contain some of the trojans that i discover and wish to inform him about it. I'm sorry if you think that way. Trying to help and yet misunderstanding happen.

Oh well..good luck..

Edited by ClaudeX, 21 June 2007 - 11:08 PM.


#11 symbiote28

symbiote28

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 21 June 2007 - 11:25 PM

I saw that you have this trojan invaded in your computer.Just been looking at this tell me so...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Achitasin&MindMap

That means everytime you log in to your internet explorer, it will refer this achitasin&MindMap as your homepage, even if u change your homepage to another website , after a while it will still return back to achitasin&MindMap. I think the risk of this trojan should be high...
Am i right?


yes! that's right .. i got this trojan from a computer in my school and many of my friends have it too .. any idea how to remove it? this trojan is irritating as hell as i cannot open my drives by double clicking it .. instead, i have to right click and select explore ..

EDIT: i've tried searching for C:\WINDOWS\system32\tmallcg.exe in safe mode but there was no such file found .. what should i do? should i just skip the step and run the combofix.exe? i think i better not do anything until i hear from you again .. :rolleyes:

ps. uninstalling Dr. Web from safe mode is unsuccessfull too so i guess i've to follow the ccleaner steps ..

Edited by symbiote28, 22 June 2007 - 12:04 AM.


#12 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 22 June 2007 - 06:20 AM

Welcome back

I think OTMoveIt worked and did remove the bad file...

Please run ComboFix and the other instructions I gave, post the logs please.


I need a ComboFix log.....New HJT log
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#13 symbiote28

symbiote28

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 23 June 2007 - 01:37 AM

here are the logs u've asked for ..

ComboFix.txt

ComboFix 07-06-18.2 - C:\Documents and Settings\Home PC\Desktop\ComboFix.exe
"Home PC" - 2007-06-23 14:14:02 - Service Pack 2 NTFS

Rootkit driver pe386 is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


c:\autorun.inf
C:\DOCUME~1\LOCALS~1\APPLIC~1\Install.dat
C:\Program Files\Common Files\{64F9D~1
C:\Program Files\Common Files\misc002
C:\WINDOWS\system32\crunner
C:\WINDOWS\system32\crunner\cproc.exe.config
C:\WINDOWS\system32\crunner\cupdater.exe.config
C:\WINDOWS\system32\crunner\ICSharpCode.SharpZipLib.dll
C:\WINDOWS\system32\crunner\Version.txt
C:\WINDOWS\system32\lzx32.sys
C:\WINDOWS\system32\msxml3a.dll
d:\autorun.inf
e:\autorun.inf
l:\autorun.inf


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-05-23 to 2007-06-23 )))))))))))))))))))))))))))))))


2007-06-23 14:10 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-22 15:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-20 17:33 <DIR> d-------- C:\Program Files\nokcvtr
2007-06-20 11:26 1,704 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-20 11:16 <DIR> d-------- C:\NoLopBackups
2007-06-19 09:56 <DIR> d-------- C:\Program Files\RegCure
2007-06-19 09:24 <DIR> d-------- C:\Program Files\Panda Software
2007-06-18 20:32 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-06-12 23:57 <DIR> d-------- C:\Program Files\XoftSpySE
2007-06-12 23:09 <DIR> d-------- C:\DOCUME~1\HOMEPC~1\DoctorWeb
2007-06-12 22:00 9,728 --a----t- C:\WINDOWS\system32\DRWEBSP.DLL
2007-06-12 22:00 5,856 --a------ C:\WINDOWS\system32\drivers\drwebnet.sys
2007-06-12 20:47 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-06-12 20:46 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-06-12 20:45 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-06-09 20:48 720,896 --a------ C:\WINDOWS\iun6002ev.exe
2007-06-09 20:48 <DIR> d-------- C:\Program Files\Bejeweled 2 Deluxe
2007-06-09 19:53 <DIR> d-------- C:\Program Files\GameHouse
2007-06-08 22:08 14 --a------ C:\WINDOWS\popcinfot.dat
2007-06-08 22:08 0 --a------ C:\WINDOWS\popcreg.dat
2007-06-08 21:42 <DIR> d-------- C:\Program Files\Five+
2007-06-03 16:23 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-06-03 16:23 <DIR> d-------- C:\Program Files\Xvid
2007-06-02 14:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PopCap
2007-05-29 20:04 31,232 -r-hs---- C:\WINDOWS\system32\msfDX.dll
2007-05-29 20:04 163,328 -r-hs---- C:\WINDOWS\system32\flvDX.dll
2007-05-28 20:55 <DIR> d-------- C:\Program Files\Internet Download Manager
2007-05-28 20:55 <DIR> d-------- C:\DOCUME~1\HOMEPC~1\APPLIC~1\IDM
2007-05-28 20:55 <DIR> d-------- C:\DOCUME~1\HOMEPC~1\APPLIC~1\DMCache
2007-05-26 15:21 <DIR> d-------- C:\Program Files\GetRight
2007-05-26 15:02 <DIR> d-------- C:\Program Files\Download Master
2007-05-26 15:02 <DIR> d-------- C:\DOCUME~1\HOMEPC~1\APPLIC~1\Download Master


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-22 13:06:20 -------- d-----w C:\DOCUME~1\HOMEPC~1\APPLIC~1\uTorrent
2007-06-22 12:50:12 56 ----a-w C:\WINDOWS\popcinfo.dat
2007-06-19 11:16:50 -------- d-----w C:\Program Files\Oberon Media
2007-06-19 01:26:48 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-13 03:24:32 -------- d-----w C:\DOCUME~1\HOMEPC~1\APPLIC~1\TransFork
2007-06-12 17:05:49 292 ----a-w C:\WINDOWS\rdjkr.dll
2007-06-12 16:26:57 -------- d-----w C:\Program Files\Norton AntiVirus
2007-06-12 14:00:10 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-10 12:01:34 -------- d-----w C:\Program Files\Opera
2007-06-10 11:52:11 -------- d-----w C:\DOCUME~1\HOMEPC~1\APPLIC~1\Opera
2007-06-08 14:08:47 -------- d-----w C:\Program Files\PopCap Games
2007-06-08 11:03:24 -------- d-----w C:\Program Files\uTorrent
2007-06-02 07:11:33 -------- d-----w C:\Program Files\Atlantis Sky Patrol
2007-05-27 02:29:58 -------- d-----w C:\Program Files\Messenger
2007-05-19 10:24:08 -------- d-----w C:\Program Files\Arcade Lines
2007-05-19 07:37:01 -------- d-----w C:\Program Files\Mahjong Towers II
2007-05-19 07:17:40 -------- d-----w C:\Program Files\LimeWire
2007-05-13 03:27:01 -------- d-----w C:\Program Files\Last.fm
2007-05-12 10:58:40 -------- d-----w C:\Program Files\ReflexiveArcade
2007-04-16 14:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 14:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 14:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 14:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 14:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 14:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 14:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 14:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 14:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 14:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-08 04:55:37 1,604,164 ----a-w C:\WinRMSetup.exe
2001-08-23 20:00:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 00:56:48 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 00:56:44 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 00:56:44 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 00:56:44 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 00:56:44 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2004-08-04 00:56:46 553,472 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 00:56:46 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 00:56:56 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0055C089-8582-441B-A0BF-17B458C2A3A8}=C:\Program Files\Internet Download Manager\IDMIECC.dll [2006-08-29 16:28]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2006-10-26 10:28]
{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}=C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL [2006-10-31 14:55]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 20:33]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-02-14 02:29]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-13 09:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 14:32]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2007-05-28 20:58]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 17:06]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpIDerMail]
"C:\Program Files\DrWeb\spiderml.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe achi.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe achi.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe achi.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2fe5e870-81e2-11db-9ccc-000000000000}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe achi.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3264eba2-9b3f-11db-9d33-000000000000}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe achi.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a89eb8ae-b8f7-11db-9db1-000000000000}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe achi.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c638f844-ffcd-11db-9ef6-000000000000}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe achi.dll.vbs

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-06-23 06:22:06 C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
2007-06-23 06:23:25 C:\WINDOWS\tasks\RegCure Program Check.job
2007-06-19 01:57:01 C:\WINDOWS\tasks\RegCure.job
2007-06-12 15:57:23 C:\WINDOWS\tasks\XoftSpySE.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-23 14:23:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-23 14:26:24 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-23 14:26

--- E O F ---

---------------------------------------------------------------------------------------------------------------------------

Latest HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 2:30:15 PM, on 6/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\sistray.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\system32\CTPdeSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24....es/MsnPUpld.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccApp.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccApp.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Unknown owner - C:\Program Files\Norton Internet Security\isPwdSvc.exe (file missing)
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: Symantec AppCore Service (SymAppCore) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe (file missing)

#14 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 23 June 2007 - 09:31 AM

Welcome back
ComboFix did a very good job, just a little bit more work to do now.

I see Grisoft\AVG7 and several files related to Norton AntiVirus but many say file missing.
Did you previously have Nortons and try to uninstall?

If this is the case and you want to fully remove all files related to Norton Antivirus-

To fully remove Norton AntiVirus, you should go here before uninstalling and download the files and print the instructions for removal, and follow them after uninstalling NAV:
How to uninstall Norton AntiVirus 2004/2005/2006
(note: this removes ALL Norton 2004/2005/2006 products from your computer, and also uninstalls Norton Ghost 10.0/9.0/2003)
How to uninstall Norton AntiVirus 2003 or Norton AntiVirus 2003 Professional Edition
How to uninstall Norton AntiVirus 2000/2001/2002

You can also add this article/tutorial in the removal instructions in case there are additional problems after/during removing Norton:
http://basconotw.mvps.org/SymRem.htm
uninstalling Symantec applications


I see you installed Megaupload Toolbar. This one has a questionable reputation. That's why I also suggest you uninstall it.
From the Megaupload Toolbar Eula:

"This toolbar integrates certain services from alexa internet,inc. ("Alexa"). The toolbar may exchange data with Alexa in order to provide: (a) information to you about the web pages you view (ranking information, for example) and basic information to alexa on your use of the toolbar, including the ip address of your computer, the url of the web pages you visit and, because the toolbar communicates via http, data typical of normal http communications such as user agent and operating system, will be communicated."


Go to Start > Settings > Control Panel > Add/Remove Programs and remove it.


I didn't detect any active process of a firewall on your system.

Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.
You should not rely on just the Windows XP firewall when there are firewalls that are free for personal use that are better, the Windows XP firewall only checks incoming data.
If you decide to download and install another Firewall....please disable Windows Firewall.
Start menu->>Control Panel->>Security Center->>Windows Firewall and disable Windows Firewall.
Sygate free firewall
ZoneAlarm free firewall
Outpost free Firewall
Comodo
Kerio Personal Firewall
Jetico Personal Firewall

The above are known good free Firewalls available for personal use. If one conflicts with your system, try another.
For a tutorial on Firewalls and a listing of some available ones see the link below
http://www.bleepingc...tutorial60.html



Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL




Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

Folder::
C:\NoLopBackups

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2fe5e870-81e2-11db-9ccc-000000000000}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3264eba2-9b3f-11db-9d33-000000000000}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a89eb8ae-b8f7-11db-9db1-000000000000}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c638f844-ffcd-11db-9ef6-000000000000}]

Save this as ComboFix-Do.txt and change the "Save as type" to "All Files" and place it on your desktop.
Posted Image

Referring to the screenshot above, drag ComboFix-Do.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

In your next reply post:
ComboFix-Do.txt log
DrWeb.csv log
New HJT log
I need comments on how your computer is running now
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#15 symbiote28

symbiote28

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 23 June 2007 - 09:36 PM

im very wary of uninstalling any Norton programs because i realise that after uninstalling it, i hardly can run my computer .. it give me a blue screen saying something of a hardware failure ..

#16 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 23 June 2007 - 11:12 PM

Welcome back

If you want to continue using Norton AntiVirus thats fine, you need to disable or uninstall AVG7.
I have to say, I have not heard anyone mention uninstalling Nortons giving hardware errors before, but theres always that first time I suppose.

Also you need an on board Firewall. I supplied you with a list of good known free programs that do the job well.

In your next reply post:
ComboFix-Do.txt log
DrWeb.csv log
New HJT log

I need comments on how your computer is running now
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#17 symbiote28

symbiote28

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 27 June 2007 - 11:25 PM

hey there .. i've been busy with exams lately and finally i had some time to reply .. here are the logs u've asked for ..

ps: i see that the DrWeb.csv log identifies one of my video converter programs as a threat but im hoping i dont have to delete the program as it has been really useful to me ..

ComboFix-Do.txt log

Folder::
C:\NoLopBackups

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2fe5e870-81e2-11db-9ccc-000000000000}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3264eba2-9b3f-11db-9d33-000000000000}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a89eb8ae-b8f7-11db-9db1-000000000000}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c638f844-ffcd-11db-9ef6-000000000000}]

-----------------------------------------------------------------------------------------------------------------------------

DrWeb.csv log

SUPER.exe;C:\Program Files\eRightSoft\SUPER;Probably DLOADER.Trojan;;
Process.exe;C:\Program Files\Roguescanfix;Tool.Prockill;Incurable.Moved.;

-----------------------------------------------------------------------------------------------------------------------------

Latest HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 12:18:38 PM, on 6/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\WINDOWS\system32\sistray.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\system32\CTPdeSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24....es/MsnPUpld.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccApp.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccApp.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Unknown owner - C:\Program Files\Norton Internet Security\isPwdSvc.exe (file missing)
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: Symantec AppCore Service (SymAppCore) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe (file missing)

-----------------------------------------------------------------------------------------------------------------------------

#18 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 28 June 2007 - 07:19 AM

Welcome back

ComboFix.txt <- is the log I needed, you copied the contents of the ComboFix-Do.txt I had posted for you to run.

ps: i see that the DrWeb.csv log identifies one of my video converter programs as a threat but im hoping i dont have to delete the program as it has been really useful to me


I think it would be a safe program to keep since you know it's safe.


Did you run the Nortons removal tool?

I'll list below the remaining files to be deleted.


Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccApp.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccApp.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe (file missing)
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Unknown owner - C:\Program Files\Norton Internet Security\isPwdSvc.exe (file missing)
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: Symantec AppCore Service (SymAppCore) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe (file missing)



Using Windows Explorer, locate the following files/folders shown bold and delete them, if still present:

If you have trouble finding any of those files, then configure Windows Explorer to show hidden files and folders and go after them again.(Remember to Hide files and folders once done.

To enable viewing of hidden files as follows:
1) Go to My Computer, and click on the "Tools" menu
2) Click "Folder options"
3) Select the "View" tab
4) Make sure "Show hidden files and folders" is selected
5) Make sure "Hide extensions for known file types" is unchecked
6) Make sure "Hide protected operating system files (recommended)" is unchecked.


C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Norton Internet Security\isPwdSvc.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


Reboot your computer when done.

In your next post I need

ComboFix.txt
New HJT log

Comments on how your computer is running now



Removing Norton Internet Security will leave you with no Firewall.

Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.
You should not rely on just the Windows XP firewall when there are firewalls that are free for personal use that are better, the Windows XP firewall only checks incoming data.
If you decide to download and install another Firewall....please disable Windows Firewall.
Start menu->>Control Panel->>Security Center->>Windows Firewall and disable Windows Firewall.
Sygate free firewall
ZoneAlarm free firewall
Outpost free Firewall
Comodo
Kerio Personal Firewall
Jetico Personal Firewall

The above are known good free Firewalls available for personal use. If one conflicts with your system, try another.
For a tutorial on Firewalls and a listing of some available ones see the link below
http://www.bleepingc...tutorial60.html
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#19 symbiote28

symbiote28

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 29 June 2007 - 06:41 AM

hey there .. i've been getting new System Alerts for the trojan Trojan-Spy.Win32@mx .. how do i remove this? it suddenly appeared this morning ..

below are the logs u've asked for ..

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 7:37:15 PM, on 6/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Video ActiveX Access\iesmn.exe
C:\Program Files\Video ActiveX Access\imsmain.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Video ActiveX Access\imsmn.exe
C:\Program Files\Video ActiveX Access\iesmin.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\WINDOWS\system32\sistray.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\system32\CTPdeSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: (no name) - {184746EC-9E9D-4C7D-B9E7-9039EBD801A9} - C:\Program Files\Video ActiveX Access\iesplg.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Protection Bar - {29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} - C:\Program Files\Video ActiveX Access\iesbpl.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccApp.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccApp.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Unknown owner - C:\Program Files\Norton Internet Security\isPwdSvc.exe (file missing)
O23 - Service: Symantec AppCore Service (SymAppCore) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe (file missing)

----------------------------------------------------------------------------------------------------------------------------

ComboFix.txt Log

ComboFix 07-06-18.2 - C:\Documents and Settings\Home PC\Desktop\ComboFix.exe
"Home PC" - 2007-06-24 10:27:08 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Home PC\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\NoLopBackups
C:\NoLopBackups\A7F61E2B91859B4F.job.01.infected


((((((((((((((((((((((((( Files Created from 2007-05-24 to 2007-06-24 )))))))))))))))))))))))))))))))


2007-06-23 14:10 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-22 15:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-20 17:33 <DIR> d-------- C:\Program Files\nokcvtr
2007-06-20 11:26 1,704 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-19 09:56 <DIR> d-------- C:\Program Files\RegCure
2007-06-19 09:24 <DIR> d-------- C:\Program Files\Panda Software
2007-06-18 20:32 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-06-12 23:57 <DIR> d-------- C:\Program Files\XoftSpySE
2007-06-12 23:09 <DIR> d-------- C:\DOCUME~1\HOMEPC~1\DoctorWeb
2007-06-12 22:00 9,728 --a----t- C:\WINDOWS\system32\DRWEBSP.DLL
2007-06-12 22:00 5,856 --a------ C:\WINDOWS\system32\drivers\drwebnet.sys
2007-06-12 20:47 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-06-12 20:46 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-06-12 20:45 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-06-09 20:48 720,896 --a------ C:\WINDOWS\iun6002ev.exe
2007-06-09 20:48 <DIR> d-------- C:\Program Files\Bejeweled 2 Deluxe
2007-06-09 19:53 <DIR> d-------- C:\Program Files\GameHouse
2007-06-08 22:08 14 --a------ C:\WINDOWS\popcinfot.dat
2007-06-08 22:08 0 --a------ C:\WINDOWS\popcreg.dat
2007-06-08 21:42 <DIR> d-------- C:\Program Files\Five+
2007-06-03 16:23 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-06-03 16:23 <DIR> d-------- C:\Program Files\Xvid
2007-06-02 14:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PopCap
2007-05-29 20:04 31,232 -r-hs---- C:\WINDOWS\system32\msfDX.dll
2007-05-29 20:04 163,328 -r-hs---- C:\WINDOWS\system32\flvDX.dll
2007-05-28 20:55 <DIR> d-------- C:\Program Files\Internet Download Manager
2007-05-28 20:55 <DIR> d-------- C:\DOCUME~1\HOMEPC~1\APPLIC~1\IDM
2007-05-28 20:55 <DIR> d-------- C:\DOCUME~1\HOMEPC~1\APPLIC~1\DMCache
2007-05-26 15:21 <DIR> d-------- C:\Program Files\GetRight
2007-05-26 15:02 <DIR> d-------- C:\Program Files\Download Master
2007-05-26 15:02 <DIR> d-------- C:\DOCUME~1\HOMEPC~1\APPLIC~1\Download Master


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-23 14:29:18 56 ----a-w C:\WINDOWS\popcinfo.dat
2007-06-22 13:06:20 -------- d-----w C:\DOCUME~1\HOMEPC~1\APPLIC~1\uTorrent
2007-06-19 11:16:50 -------- d-----w C:\Program Files\Oberon Media
2007-06-19 01:26:48 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-13 03:24:32 -------- d-----w C:\DOCUME~1\HOMEPC~1\APPLIC~1\TransFork
2007-06-12 17:05:49 292 ----a-w C:\WINDOWS\rdjkr.dll
2007-06-12 16:26:57 -------- d-----w C:\Program Files\Norton AntiVirus
2007-06-12 14:00:10 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-10 12:01:34 -------- d-----w C:\Program Files\Opera
2007-06-10 11:52:11 -------- d-----w C:\DOCUME~1\HOMEPC~1\APPLIC~1\Opera
2007-06-08 14:08:47 -------- d-----w C:\Program Files\PopCap Games
2007-06-08 11:03:24 -------- d-----w C:\Program Files\uTorrent
2007-06-02 07:11:33 -------- d-----w C:\Program Files\Atlantis Sky Patrol
2007-05-27 02:29:58 -------- d-----w C:\Program Files\Messenger
2007-05-19 10:24:08 -------- d-----w C:\Program Files\Arcade Lines
2007-05-19 07:37:01 -------- d-----w C:\Program Files\Mahjong Towers II
2007-05-19 07:17:40 -------- d-----w C:\Program Files\LimeWire
2007-05-13 03:27:01 -------- d-----w C:\Program Files\Last.fm
2007-05-12 10:58:40 -------- d-----w C:\Program Files\ReflexiveArcade
2007-04-16 14:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 14:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 14:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 14:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 14:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 14:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 14:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 14:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 14:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 14:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-08 04:55:37 1,604,164 ----a-w C:\WinRMSetup.exe
2001-08-23 20:00:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 00:56:48 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 00:56:44 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 00:56:44 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 00:56:44 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 00:56:44 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2004-08-04 00:56:46 553,472 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 00:56:46 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 00:56:56 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0055C089-8582-441B-A0BF-17B458C2A3A8}=C:\Program Files\Internet Download Manager\IDMIECC.dll [2006-08-29 16:28]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2006-10-26 10:28]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 20:33]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-02-14 02:29]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-13 09:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 14:32]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2007-05-28 20:58]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 17:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"megauploadtoolbar"=C:\DOCUME~1\HOMEPC~1\LOCALS~1\Temp\tbuninstall.exe -df "C:\Program Files\MegauploadToolbar\"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpIDerMail]
"C:\Program Files\DrWeb\spiderml.exe"

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-06-24 02:22:00 C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
2007-06-24 02:11:31 C:\WINDOWS\tasks\RegCure Program Check.job
2007-06-19 01:57:01 C:\WINDOWS\tasks\RegCure.job
2007-06-12 15:57:23 C:\WINDOWS\tasks\XoftSpySE.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-24 10:32:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-24 10:33:38
C:\ComboFix-quarantined-files.txt ... 2007-06-24 10:33
C:\ComboFix2.txt ... 2007-06-23 14:26

--- E O F ---

#20 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 29 June 2007 - 07:47 AM

Welcome back

Tell me about this folder/program. Is this something you installed?
C:\Program Files\nokcvtr

If you do not have any information on this folder/program we need to have it checked.
Please go to at least two of the below sites to scan the following files:
jotti.org
or
virustotal
or
http://www.kaspersky...anforvirus.html

click on Browse, and upload the following file for analysis:
C:\Program Files\nokcvtr

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.



Did you run the Nortons removal tool? Or try to remove any of the remaining Nortons files I had outlined in my previous reply?



Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {184746EC-9E9D-4C7D-B9E7-9039EBD801A9} - C:\Program Files\Video ActiveX Access\iesplg.dll
O3 - Toolbar: Protection Bar - {29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} - C:\Program Files\Video ActiveX Access\iesbpl.dll



Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

    Using windows explorer search for and delete this file
    C:\WINDOWS\rdjkr.dll
Open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.



Clean out your Temporary Internet files. Proceed like this:
Quit Internet Explorer and quit any instances of Windows Explorer.
Click Start, click Control Panel, and then double click Internet Options.
On the General tab, click Delete files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK
Click OK



Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the Programme and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.



Please do an online scan with Kaspersky Online Scanner
  • Click on Kaspersky Online Scanner.
  • You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK.
  • Now under select a target to scan:
    • Select My Computer.
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As button.
    • In the File name: field, type kavscan.
    • In the Save as type: field, select Text file (*.txt).
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
NEXT:

Please reboot your computer normally into Windows, and then please post the log from the Kaspersky scan and a new HijackThis log.
Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

In your next reply post:
Scanned file results
Smitfraud
C:\rapport.txt
kavscan log.
New HJT log
comments on how your computer is running now
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#21 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 12 July 2007 - 12:40 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button