Jump to content


Photo

Vundo Problems - HijackThis Log included


  • This topic is locked This topic is locked
11 replies to this topic

#1 GACGustie

GACGustie

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 28 June 2007 - 05:51 PM

Hey guys, I was wondering if anyone would be willing to help me out with some malware infection. My computer's so slow I can barely even get on your forum. Thanks in advance, here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 5:44:26 PM, on 6/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\j86759.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\CROSOF~1\svchost.exe
C:\Program Files\?icrosoft\??plorer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscript.exe
C:\DOCUME~1\McNeill\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - C:\WINDOWS\system32\tmpA6.tmp.dll
O2 - BHO: (no name) - {3aaef3f6-9b2b-47df-ad56-13d587f80364} - C:\WINDOWS\system32\comapi.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {6D88D0D4-1D65-46CD-8F80-008D7F5D58A7} - C:\Program Files\Online Services\hokepote83122.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {93f64f78-e60f-4542-98ad-0b229f9122d6} - C:\WINDOWS\system32\yxulhat.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [j86759] C:\WINDOWS\j86759
O4 - HKLM\..\Run: [winehq.org] rundll32.exe "C:\WINDOWS\hgdeee.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Uaol] "C:\WINDOWS\CROSOF~1\svchost.exe" -vt yazb
O4 - HKCU\..\Run: [Xvvx] "C:\Program Files\?icrosoft\??plorer.exe"
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.7.4\webbuying.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\McNeill\Desktop\TICHD001.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O20 - Winlogon Notify: comapi - C:\WINDOWS\SYSTEM32\comapi.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#2 GACGustie

GACGustie

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 30 June 2007 - 01:01 PM

I've been continually scanning with Norton, AdAware, and SpyBot for the last few days. I can find and delete problems, but they seem to come back each time I restart.

#3 Mieke

Mieke

    HJT Helper

  • Retired Staff - Helper
  • PipPipPipPip
  • 265 posts

Posted 03 July 2007 - 08:39 AM

Hi GACGustie

I am currently studying your log and will be back to you as soon as possible. Thank you for your patience.:)

#4 Mieke

Mieke

    HJT Helper

  • Retired Staff - Helper
  • PipPipPipPip
  • 265 posts

Posted 03 July 2007 - 08:53 AM

Hi GACGustie,

* Please copy and paste this post into Notepad or print it out. It's a lot easier than trying to remember everything.

------------------------------------------------

* Please put HijackThis.exe in it's permanent folder, if you fix something with hijackThis, it will create a backup. If you fixed anything wrong you can put it back with these backups.
But now your HijackThis.exe locates in a temp folder and can't make any backups at all. HijackThis can be accidently deleted if it is in a Temp folder.

How to do this:

Click My Computer, click C:\
right click in an empty place and click, new - Folder.
Now you've create a new folder, right click and give it the name: hijackThis. Unzip HijackThis.zip to that folder.

------------------------------------------------

* You need to download a couple of tools that we need later. Please do not run any of these yet!

1) Download and install CleanUp!

2) Please download VundoFix by Atribune from here:
http://www.atribune..../click.php?id=4 and place it on your desktop.

3) Please download ComboFix from Here or Here and save it to your Desktop.
NOTE: In the event you already have ComboFix, this is a new version that I need you to download.

------------------------------------------------

* Using Cleanup!
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

------------------------------------------------

* Using VundoFix
Double-click VundoFix.exe to run the tool.
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

------------------------------------------------

* Using ComboFix
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

----------------------------------------

* Please post the logs listed here at your next reply, please post them into the right order:

1. The contents of C:\vundofix.txt
2. C:\ComboFix.txt
3. A new HijackThis log.
----------------------------------------

Please let me know if you have got problems during the fix.

Mieke :)

#5 GACGustie

GACGustie

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 03 July 2007 - 05:25 PM

e: nevermind.

Edited by GACGustie, 03 July 2007 - 05:36 PM.


#6 GACGustie

GACGustie

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 03 July 2007 - 05:50 PM

VundoFix V6.5.4

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 5:28:40 PM 7/3/2007

Listing files found while scanning....

C:\WINDOWS\system32\tmpE4.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tmpE4.tmp.dll
C:\WINDOWS\system32\tmpE4.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!


"McNeill" - 2007-07-03 17:37:01 - ComboFix 07-07-03.9 - Service Pack 2


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\rqrrpp.dll
C:\WINDOWS\urropm.dll
C:\WINDOWS\pprrqr.ini
C:\WINDOWS\mporru.ini
C:\WINDOWS\system32\comapi.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\McNeill\APPLIC~1.\.rdr.ini
C:\DOCUME~1\McNeill\APPLIC~1\tmp10.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp106.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp136.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp139.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp13A.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp168.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp18.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp1AB.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp1AC.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp1DF.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp1EE.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp205.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp24A.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp301.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp316.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp359.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp37F.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp3A7.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp3A8.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp428.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp4A8.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp4AA.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp4DF.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp4FD.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp504.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp52C.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp52D.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp5EB.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp5F4.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp5F6.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp64A.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp67D.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp6B4.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp6C7.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp786.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp7E.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp86.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp8D.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp91.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp96.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmp9D.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmpA3.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmpA6.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmpAC.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmpC3.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmpC9.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmpE1.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmpE4.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmpED.tmp.exe
C:\DOCUME~1\McNeill\APPLIC~1\tmpF4.tmp.exe
C:\Program Files\icroso~1
C:\Program Files\Online Services\hokepote83122.dll
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\WINDOWS\crosof~1
C:\WINDOWS\crosof~1\svchost.exe
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\racle~1
C:\WINDOWS\system32\mbols~1
C:\WINDOWS\system32\o05PrEz
C:\WINDOWS\system32\smante~1
C:\WINDOWS\system32\smbols~1
C:\WINDOWS\system32\wapisvtr32.exe
C:\WINDOWS\system32\win
C:\WINDOWS\wr.txt


((((((((((((((((((((((((( Files Created from 2007-06-03 to 2007-07-03 )))))))))))))))))))))))))))))))


2007-07-03 17:38 134,914 --a------ C:\WINDOWS\khggfd.dll
2007-07-03 17:38 128,231 --a------ C:\DOCUME~1\McNeill\APPLIC~1\tmp9F.tmp.exe
2007-07-03 17:35 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-03 17:28 <DIR> d-------- C:\VundoFix Backups
2007-07-03 17:21 <DIR> d-------- C:\HIJACK THIS
2007-07-01 13:42 134,871 --a------ C:\WINDOWS\nnoppp.dll
2007-06-27 21:56 59,427 --a------ C:\WINDOWS\system32\tmp786.tmp.dll
2007-06-27 21:11 59,427 --a------ C:\WINDOWS\system32\tmp6B4.tmp.dll
2007-06-27 21:03 59,427 --a------ C:\WINDOWS\system32\tmp5EB.tmp.dll
2007-06-27 20:54 59,427 --a------ C:\WINDOWS\system32\tmp4DF.tmp.dll
2007-06-27 20:43 59,427 --a------ C:\WINDOWS\system32\tmp37F.tmp.dll
2007-06-27 20:40 59,427 --a------ C:\WINDOWS\system32\tmp316.tmp.dll
2007-06-27 20:24 59,427 --a------ C:\WINDOWS\system32\tmp1EE.tmp.dll
2007-06-27 20:16 134,917 --a------ C:\WINDOWS\vtrpqo.dll
2007-06-27 20:09 134,917 --a------ C:\WINDOWS\tuttsr.dll
2007-06-26 22:05 59,480 --a------ C:\WINDOWS\system32\tmpE1.tmp.dll
2007-06-26 19:28 59,480 --a------ C:\WINDOWS\system32\tmpC9.tmp.dll
2007-06-26 10:53 59,480 --a------ C:\WINDOWS\system32\tmp9D.tmp.dll
2007-06-25 21:35 <DIR> d-------- C:\WINDOWS\pss
2007-06-25 21:08 59,480 --a------ C:\WINDOWS\system32\tmp7E.tmp.dll
2007-06-25 20:55 59,480 --a------ C:\WINDOWS\system32\tmp136.tmp.dll
2007-06-24 21:53 59,435 --a------ C:\WINDOWS\system32\tmp67D.tmp.dll
2007-06-24 21:40 59,435 --a------ C:\WINDOWS\system32\tmp5F6.tmp.dll
2007-06-24 21:40 59,435 --a------ C:\WINDOWS\system32\tmp5F4.tmp.dll
2007-06-24 19:50 59,435 --a------ C:\WINDOWS\system32\tmp4FD.tmp.dll
2007-06-24 18:18 59,435 --a------ C:\WINDOWS\system32\tmp24A.tmp.dll
2007-06-24 17:49 59,435 --a------ C:\WINDOWS\system32\tmp13A.tmp.dll
2007-06-24 17:49 59,435 --a------ C:\WINDOWS\system32\tmp139.tmp.dll
2007-06-24 17:39 59,457 --a------ C:\WINDOWS\system32\tmpA6.tmp.dll
2007-06-23 22:50 59,414 --a------ C:\WINDOWS\system32\tmpC3.tmp.dll
2007-06-23 22:46 59,414 --a------ C:\WINDOWS\system32\tmp18.tmp.dll
2007-06-23 04:04 59,414 --a------ C:\WINDOWS\system32\tmp52D.tmp.dll
2007-06-23 04:04 59,414 --a------ C:\WINDOWS\system32\tmp52C.tmp.dll
2007-06-23 03:40 59,414 --a------ C:\WINDOWS\system32\tmp4AA.tmp.dll
2007-06-23 03:40 59,414 --a------ C:\WINDOWS\system32\tmp4A8.tmp.dll
2007-06-23 02:49 59,414 --a------ C:\WINDOWS\system32\tmp3A8.tmp.dll
2007-06-23 02:49 59,414 --a------ C:\WINDOWS\system32\tmp3A7.tmp.dll
2007-06-22 20:04 59,448 --a------ C:\WINDOWS\system32\tmp1AC.tmp.dll
2007-06-22 20:04 59,448 --a------ C:\WINDOWS\system32\tmp1AB.tmp.dll
2007-06-22 19:55 59,448 --a------ C:\WINDOWS\system32\tmp168.tmp.dll
2007-06-21 12:31 <DIR> d-------- C:\WINDOWS\system32\S7
2007-06-21 12:31 <DIR> d-------- C:\WINDOWS\system32\S4
2007-06-21 12:31 <DIR> d-------- C:\WINDOWS\system32\S2
2007-06-21 12:31 <DIR> d-------- C:\WINDOWS\system32\S1
2007-06-15 14:43 53,248 --a------ C:\WINDOWS\uni_eh43.exe
2007-06-15 14:38 192,512 --a------ C:\WINDOWS\j86759.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-03 22:41:47 -------- d-----w C:\Program Files\Online Services
2007-07-03 22:32:04 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-06-29 22:23:30 -------- d-----w C:\Program Files\Windows Plus
2007-06-11 21:27:14 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-11 21:27:13 88 --sh--r C:\WINDOWS\system32\EBCC9BD9FE.sys
2007-06-01 23:22:15 -------- d-----w C:\DOCUME~1\McNeill\APPLIC~1\AdobeUM
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2006-11-05 20:39:21 56 --sh--r C:\WINDOWS\system32\FED99BCCEB.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-11-03 14:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
2005-09-08 05:20 110652 --a------ C:\WINDOWS\System32\DLA\DLASHX_W.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{93f64f78-e60f-4542-98ad-0b229f9122d6}]
C:\WINDOWS\system32\yxulhat.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 23:20 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-04-17 22:18]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 19:20]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"@"="" []
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 17:34]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 19:05]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 15:52]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 12:30]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-10 10:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-02 21:07]
"Aim6"="" []
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"Uaol"="C:\WINDOWS\CROSOF~1\svchost.exe" []
"Xvvx"="C:\Program Files\?icrosoft\??plorer.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe


**************************************************************************

catchme 0.3.914 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-03 17:43:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-03 17:45:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-03 17:45

--- E O F ---



Logfile of HijackThis v1.99.1
Scan saved at 5:49:44 PM, on 7/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\internet explorer\iexplore.exe
C:\DOCUME~1\McNeill\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityrespo...r/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {93f64f78-e60f-4542-98ad-0b229f9122d6} - C:\WINDOWS\system32\yxulhat.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Uaol] "C:\WINDOWS\CROSOF~1\svchost.exe" -vt yazb
O4 - HKCU\..\Run: [Xvvx] "C:\Program Files\?icrosoft\??plorer.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe



How does it look?

#7 Mieke

Mieke

    HJT Helper

  • Retired Staff - Helper
  • PipPipPipPip
  • 265 posts

Posted 04 July 2007 - 07:31 AM

Hi GACGustie,

* Please open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\khggfd.dll
C:\DOCUME~1\McNeill\APPLIC~1\tmp9F.tmp.exe
C:\WINDOWS\nnoppp.dll
C:\WINDOWS\system32\tmp786.tmp.dll
C:\WINDOWS\system32\tmp6B4.tmp.dll
C:\WINDOWS\system32\tmp5EB.tmp.dll
C:\WINDOWS\system32\tmp4DF.tmp.dll
C:\WINDOWS\system32\tmp37F.tmp.dll
C:\WINDOWS\system32\tmp316.tmp.dll
C:\WINDOWS\system32\tmp1EE.tmp.dll
C:\WINDOWS\vtrpqo.dll
C:\WINDOWS\tuttsr.dll
C:\WINDOWS\system32\tmpE1.tmp.dll
C:\WINDOWS\system32\tmpC9.tmp.dll
C:\WINDOWS\system32\tmp9D.tmp.dll
C:\WINDOWS\system32\tmp7E.tmp.dll
C:\WINDOWS\system32\tmp136.tmp.dll
C:\WINDOWS\system32\tmp67D.tmp.dll
C:\WINDOWS\system32\tmp5F6.tmp.dll
C:\WINDOWS\system32\tmp5F4.tmp.dll
C:\WINDOWS\system32\tmp4FD.tmp.dll
C:\WINDOWS\system32\tmp24A.tmp.dll
C:\WINDOWS\system32\tmp13A.tmp.dll
C:\WINDOWS\system32\tmp139.tmp.dll
C:\WINDOWS\system32\tmpA6.tmp.dll
C:\WINDOWS\system32\tmpC3.tmp.dll
C:\WINDOWS\system32\tmp18.tmp.dll
C:\WINDOWS\system32\tmp52D.tmp.dll
C:\WINDOWS\system32\tmp52C.tmp.dll
C:\WINDOWS\system32\tmp4AA.tmp.dll
C:\WINDOWS\system32\tmp4A8.tmp.dll
C:\WINDOWS\system32\tmp3A8.tmp.dll
C:\WINDOWS\system32\tmp3A7.tmp.dll
C:\WINDOWS\system32\tmp1AC.tmp.dll
C:\WINDOWS\system32\tmp1AB.tmp.dll
C:\WINDOWS\system32\tmp168.tmp.dll
C:\WINDOWS\j86759.exe

Folder::
C:\VundoFix Backups
C:\WINDOWS\system32\S7
C:\WINDOWS\system32\S4
C:\WINDOWS\system32\S2
C:\WINDOWS\system32\S1

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{93f64f78-e60f-4542-98ad-0b229f9122d6}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"=-
"Uaol"=-
"Xvvx"=-



Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.
Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThislog.

----------------------------------------------------------

* Please submit the following file to one of these online file scanners.

C:\WINDOWS\system32\EBCC9BD9FE.sysJotti File Scan
VirusTotal File Scan
This will produce a report after the scan is complete, please copy and paste those results in your next post.
Please perform the same with C:\WINDOWS\system32\FED99BCCEB.sys


----------------------------------------------------------

Logs to be include in your next reply please:

1. The 2 log results from Jotti.
2. The contents of the ComboFix log
3. A new Hijackthis log

Mieke :)

Edited by Mieke, 04 July 2007 - 07:33 AM.


#8 GACGustie

GACGustie

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 04 July 2007 - 12:52 PM

Complete scanning result of "EBCC9BD9FE.sys", received in VirusTotal at 07.04.2007, 19:29:05 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.7.5.0 07.04.2007 no virus found
AntiVir 7.4.0.37 07.04.2007 no virus found
Authentium 4.93.8 07.04.2007 no virus found
Avast 4.7.997.0 07.04.2007 no virus found
AVG 7.5.0.476 07.04.2007 no virus found
BitDefender 7.2 07.04.2007 no virus found
CAT-QuickHeal 9.00 07.04.2007 no virus found
ClamAV devel-20070416 07.04.2007 no virus found
DrWeb 4.33 07.04.2007 no virus found
eSafe 7.0.15.0 07.04.2007 no virus found
eTrust-Vet 30.8.3762 07.04.2007 no virus found
Ewido 4.0 07.04.2007 no virus found
FileAdvisor 1 07.04.2007 no virus found
Fortinet 2.91.0.0 07.03.2007 no virus found
F-Prot 4.3.2.48 07.03.2007 no virus found
F-Secure 6.70.13030.0 07.04.2007 no virus found
Ikarus T3.1.1.8 07.04.2007 no virus found
Kaspersky 4.0.2.24 07.04.2007 no virus found
McAfee 5066 07.03.2007 no virus found
Microsoft 1.2701 07.04.2007 no virus found
NOD32v2 2378 07.04.2007 no virus found
Norman 5.80.02 07.04.2007 no virus found
Panda 9.0.0.4 07.04.2007 no virus found
Sophos 4.19.0 06.28.2007 no virus found
Sunbelt 2.2.907.0 07.04.2007 no virus found
Symantec 10 07.04.2007 no virus found
TheHacker 6.1.6.142 07.04.2007 no virus found
VBA32 3.12.0.2 07.03.2007 no virus found
VirusBuster 4.3.23:9 07.04.2007 no virus found
Webwasher-Gateway 6.0.1 07.04.2007 no virus found

Complete scanning result of "FED99BCCEB.sys", received in VirusTotal at 07.04.2007, 19:41:42 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.7.5.0 07.04.2007 no virus found
AntiVir 7.4.0.37 07.04.2007 no virus found
Authentium 4.93.8 07.04.2007 no virus found
Avast 4.7.997.0 07.04.2007 no virus found
AVG 7.5.0.476 07.04.2007 no virus found
BitDefender 7.2 07.04.2007 no virus found
CAT-QuickHeal 9.00 07.04.2007 no virus found
ClamAV devel-20070416 07.04.2007 no virus found
DrWeb 4.33 07.04.2007 no virus found
eSafe 7.0.15.0 07.04.2007 no virus found
eTrust-Vet 30.8.3762 07.04.2007 no virus found
Ewido 4.0 07.04.2007 no virus found
FileAdvisor 1 07.04.2007 no virus found
Fortinet 2.91.0.0 07.03.2007 no virus found
F-Prot 4.3.2.48 07.03.2007 no virus found
F-Secure 6.70.13030.0 07.04.2007 no virus found
Ikarus T3.1.1.8 07.04.2007 no virus found
Kaspersky 4.0.2.24 07.04.2007 no virus found
McAfee 5066 07.03.2007 no virus found
Microsoft 1.2701 07.04.2007 no virus found
NOD32v2 2378 07.04.2007 no virus found
Norman 5.80.02 07.04.2007 no virus found
Panda 9.0.0.4 07.04.2007 no virus found
Sophos 4.19.0 06.28.2007 no virus found
Sunbelt 2.2.907.0 07.04.2007 no virus found
Symantec 10 07.04.2007 no virus found
TheHacker 6.1.6.142 07.04.2007 no virus found
VBA32 3.12.0.2 07.03.2007 no virus found
VirusBuster 4.3.23:9 07.04.2007 no virus found
Webwasher-Gateway 6.0.1 07.04.2007 no virus found

"McNeill" - 2007-07-04 11:41:59 - ComboFix 07-07-03.9 - Service Pack 2
Command switches used :: C:\HIJACK THIS\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\McNeill\APPLIC~1\tmp9F.tmp.exe
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\tmpE4.tmp.dll.bad
C:\WINDOWS\j86759.exe
C:\WINDOWS\khggfd.dll
C:\WINDOWS\nnoppp.dll
C:\WINDOWS\system32\S1
C:\WINDOWS\system32\S2
C:\WINDOWS\system32\S2\mwspasrt83122.exe
C:\WINDOWS\system32\S4
C:\WINDOWS\system32\S4\wen2.exe
C:\WINDOWS\system32\S7
C:\WINDOWS\system32\tmp136.tmp.dll
C:\WINDOWS\system32\tmp139.tmp.dll
C:\WINDOWS\system32\tmp13A.tmp.dll
C:\WINDOWS\system32\tmp168.tmp.dll
C:\WINDOWS\system32\tmp18.tmp.dll
C:\WINDOWS\system32\tmp1AB.tmp.dll
C:\WINDOWS\system32\tmp1AC.tmp.dll
C:\WINDOWS\system32\tmp1EE.tmp.dll
C:\WINDOWS\system32\tmp24A.tmp.dll
C:\WINDOWS\system32\tmp316.tmp.dll
C:\WINDOWS\system32\tmp37F.tmp.dll
C:\WINDOWS\system32\tmp3A7.tmp.dll
C:\WINDOWS\system32\tmp3A8.tmp.dll
C:\WINDOWS\system32\tmp4A8.tmp.dll
C:\WINDOWS\system32\tmp4AA.tmp.dll
C:\WINDOWS\system32\tmp4DF.tmp.dll
C:\WINDOWS\system32\tmp4FD.tmp.dll
C:\WINDOWS\system32\tmp52C.tmp.dll
C:\WINDOWS\system32\tmp52D.tmp.dll
C:\WINDOWS\system32\tmp5EB.tmp.dll
C:\WINDOWS\system32\tmp5F4.tmp.dll
C:\WINDOWS\system32\tmp5F6.tmp.dll
C:\WINDOWS\system32\tmp67D.tmp.dll
C:\WINDOWS\system32\tmp6B4.tmp.dll
C:\WINDOWS\system32\tmp786.tmp.dll
C:\WINDOWS\system32\tmp7E.tmp.dll
C:\WINDOWS\system32\tmp9D.tmp.dll
C:\WINDOWS\system32\tmpA6.tmp.dll
C:\WINDOWS\system32\tmpC3.tmp.dll
C:\WINDOWS\system32\tmpC9.tmp.dll
C:\WINDOWS\system32\tmpE1.tmp.dll
C:\WINDOWS\tuttsr.dll
C:\WINDOWS\vtrpqo.dll


((((((((((((((((((((((((( Files Created from 2007-06-04 to 2007-07-04 )))))))))))))))))))))))))))))))


2007-07-03 17:35 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-03 17:21 <DIR> d-------- C:\HIJACK THIS
2007-06-25 21:35 <DIR> d-------- C:\WINDOWS\pss
2007-06-15 14:43 53,248 --a------ C:\WINDOWS\uni_eh43.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-04 16:38:40 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-07-03 22:41:47 -------- d-----w C:\Program Files\Online Services
2007-06-29 22:23:30 -------- d-----w C:\Program Files\Windows Plus
2007-06-11 21:27:14 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-11 21:27:13 88 --sh--r C:\WINDOWS\system32\EBCC9BD9FE.sys
2007-06-01 23:22:15 -------- d-----w C:\DOCUME~1\McNeill\APPLIC~1\AdobeUM
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2006-11-05 20:39:21 56 --sh--r C:\WINDOWS\system32\FED99BCCEB.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-11-03 14:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
2005-09-08 05:20 110652 --a------ C:\WINDOWS\System32\DLA\DLASHX_W.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 23:20 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-04-17 22:18]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 19:20]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"@"="" []
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 17:34]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 19:05]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 15:52]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 12:30]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-10 10:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-02 21:07]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe


**************************************************************************

catchme 0.3.914 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-04 11:43:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-04 11:44:15
C:\ComboFix-quarantined-files.txt ... 2007-07-04 11:44
C:\ComboFix2.txt ... 2007-07-03 17:45

--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 12:52:28 PM, on 7/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\McNeill\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityrespo...r/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#9 Mieke

Mieke

    HJT Helper

  • Retired Staff - Helper
  • PipPipPipPip
  • 265 posts

Posted 04 July 2007 - 01:02 PM

Hi GACGustie, good job :thumbsup:

How is the computer running now?

#10 GACGustie

GACGustie

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 05 July 2007 - 05:37 PM

Everything seems to be running smoothly. Thanks a lot. Is it ok for me to delete all the programs and logs I saved for this removal process?

#11 Mieke

Mieke

    HJT Helper

  • Retired Staff - Helper
  • PipPipPipPip
  • 265 posts

Posted 05 July 2007 - 05:42 PM

Hi GACGustie, you're most welcome. :)
I'm very happy to hear that your system is running smoothly. :D
Yes you may delete the tools and logs as we don't need them anymore.

* Please reset your System Restore, because if you go back in time with "System Restore", the infections may reinstall. How to do that:

1. Click Start.
2. Right-click the My Computer icon and click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" and click "Apply".
5. When turning off System Restore, the existing Restore Points will be deleted. Click Yes to do this.
Please give a moment as it will delete the old System Restore Points.
6. Then uncheck "Turn off System Restore" which will create a new System Restore Point.
7. Click Apply and then OK.

* Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we at SWI are to help you, for your sake we would rather not have repeat customers. :p

1) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

2) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.o...oducts/firefox/

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck. :D

Mieke.

#12 Mieke

Mieke

    HJT Helper

  • Retired Staff - Helper
  • PipPipPipPip
  • 265 posts

Posted 06 July 2007 - 04:03 PM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button