Jump to content


Photo

spyware and malware infections


  • This topic is locked This topic is locked
12 replies to this topic

#1 happyFish

happyFish

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 10 July 2009 - 08:07 PM

Hello all. First post here.

Recently, my computer was infected with something that keeps sending pop ups and opening the internet and going to websites even when offline. Thinking it was a virus; I used Norton Antivirus 2006, found some Trojan viruses, deleted them, and thought that was the end of it.
However, last night the computer became sluggish, using the fan often, informed me that it had stopped multiple worms and viruses, was already infected, and in danger. I scanned the computer again, and it found two viruses, both called Downloader, and I followed the procedure of disabling system restore, updating definitions, restarting in safe mode and scanning again, restarting once more and deleting these files manually, and clearing internet explorer’s history. This morning, I found a number of pop ups present, and I kept getting a message that said b.exe - Application Error, and in the box it said: The instruction at "0x0040651e" referenced memory at "0x00000004". The memory could not be "read" Click Ok to terminate the program,

Norton said the computer was fine, but whenever I went onto the internet pop ups would occur, and when trying to go to a website via google I was redirected to a number of different sites trying to sell me something and I have to re-click the same search result multiple times to get to where I want.

The pop ups from what I remember weren’t anything in specific, but I do remember seeing some work at home job sites often. As an experiment I tried going to a page on Wikipedia via google, and I was being directed to other sites, such as MonsterMarketplace, WiseTo, ToseekA, Alibaba.com, WebCrawler, Alfy.Com, encyclopedia.com, and eventually to the wiki article itself. This had happened before when I was trying to find a way to fix my computer, and on sites such as cnet and myspace.

In addition, after using Norton and trying to delete viruses, speedisk which comes with Norton does not work. Also, I cannot access the firewall settings on the computer, because it says that an error has occurred.

I have read the FAQ on the site and ran Spybot, Malwarebytes’ anti-malware, and HijackThis, and they all found some 30 problems that needed fixing. Although the computer seems fine now, I suspect that there are programs still hidden that will strike at the computer once more, and that Norton antivirus never found them to begin with.

Any help would be obviously be greatly appreciated. :techsupport:


Malwarebytes Log:
Malwarebytes' Anti-Malware 1.38
Database version: 2404
Windows 5.1.2600 Service Pack 3

7/10/2009 2:52:19 PM
mbam-log-2009-07-10 (14-52-19).txt

Scan type: Quick Scan
Objects scanned: 175324
Time elapsed: 16 minute(s), 32 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 3
Registry Keys Infected: 15
Registry Values Infected: 13
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 15

Memory Processes Infected:
C:\WINDOWS\msa.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\Documents and Settings\Owner\Application Data\cft\cft.exe (Trojan.Dropper) -> Unloaded process successfully.

Memory Modules Infected:
c:\WINDOWS\system32\msncache.dll (Backdoor.Bot) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\components\WWShow.dll (Trojan.BHO) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\components\dfff.dll (Trojan.Agent.V) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msncache (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\msncache (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msncache (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mjcore.mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mjcore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{40196867-19f8-7157-c097-ecaff653c9ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8567edfa-408c-43e9-b929-4c25c04f5003} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\MJCore.dll (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cft (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DigiFast (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mms (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pridl (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\WWShow (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\Application Data\cft (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\msa.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\msncache.dll (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Owner\Application Data\cft\cft.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\WWShow.dll (Trojan.BHO) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\components\dfff.dll (Trojan.Agent.V) -> Delete on reboot.
c:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\tpsaxyd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wiwow64.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\local settings\temporary internet files\Content.IE5\6GQFGWIM\w[1].bin (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\Desktop\Free stuff - craigslist.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146118114.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\0101120101464849.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wiawow32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\WINDOWS\934fdfg34fgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.



HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:49:10 PM, on 7/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\InterMute\PopSubtract\PopSub.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.c...c...amp;gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.c...c...amp;gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.c...c...p;gc=1&q=%s
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SDActiveMonitor] C:\Program Files\SpywareDetector\SDActiveMonitor.exe -AUTO
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Simple Star PhotoShow Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\InterMute\PopSubtract\PopSub.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.co...ne_Inst_Win.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120613348312
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1179780767968
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akama...ol/SymDlBrg.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Update Service (gupdate1c9f2ef27701172) (gupdate1c9f2ef27701172) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: SDService - Unknown owner - C:\Program Files\SpywareDetector\SDService.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: (no name) - http://www.9healthfa...ages/top_bg.jpg

--
End of file - 11711 bytes

----edit----
I took the opportunity to run another scan, this time with BitDefender. The log is as follows:



BitDefender Online Scanner

Scan report generated at: Fri, Jul 10, 2009 - 21:41:00

Scan path: C:\;D:\;E:\;F:\;G:\;H:\;K:\;

Statistics

Time
02:13:52

Files
831861

Folders
12656

Boot Sectors
0

Archives
18666

Packed Files
44359


Results

Identified Viruses
42

Infected Files
58

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
112



Engines Info

Virus Definitions
3672902

Engine build
AVCORE v1.7 (build 8314.19) (i386) (Sep 29 2008 17:19:14)

Scan plugins
17

Archive plugins
45

Unpack plugins
7

E-mail plugins
6

System plugins
4



Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes


Scanned File
Status

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\00A51515.exe=>(Quarantine-2)
Infected with: Trojan.PWS.OnlineGames.AAAW

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\00A51515.exe=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\00A51515.exe
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0F342D77.sys=>(Quarantine-2)
Infected with: Rootkit.TDss.Y

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0F342D77.sys=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0F342D77.sys=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0F342D77.sys
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0F375774.sys=>(Quarantine-2)
Infected with: Rootkit.TDss.Y

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0F375774.sys=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0F375774.sys=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0F375774.sys
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\10F10928.inf=>(Quarantine-2)
Infected with: Trojan.Downloader.AEE

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\10F10928.inf=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\10F10928.inf
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1B871BE8.exe=>(Quarantine-2)
Infected with: Trojan.Generic.1775981

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1B871BE8.exe=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1B871BE8.exe
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1B8D6FE1.exe=>(Quarantine-2)
Infected with: Trojan.Generic.1712611

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1B8D6FE1.exe=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1B8D6FE1.exe
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1FEF70CF.exe=>(Quarantine-2)
Infected with: Trojan.Generic.CJ.DVI

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1FEF70CF.exe=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1FEF70CF.exe
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1FF544C7.exe=>(Quarantine-2)
Infected with: Trojan.Generic.CJ.DVI

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1FF544C7.exe=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1FF544C7.exe
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\214D7596.dll=>(Quarantine-2)
Infected with: Trojan.Generic.1874086

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\214D7596.dll=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\214D7596.dll
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2EB45C8D.exe=>(Quarantine-2)
Infected with: Trojan.CryptRedol.Gen.2

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2EB45C8D.exe=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2EB45C8D.exe=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2EB45C8D.exe
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\34641B66.sys=>(Quarantine-2)
Infected with: Gen:Trojan.Heur.2014EBCACA

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\34641B66.sys=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\34641B66.sys=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\34641B66.sys
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\346B6F5F.sys=>(Quarantine-2)
Infected with: Rootkit.TDss.Y

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\346B6F5F.sys=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\346B6F5F.sys=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\346B6F5F.sys
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\42CA59FA.cla=>(Quarantine-2)
Infected with: Trojan.Downloader.Java.Openstream.Y

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\42CA59FA.cla=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\42CA59FA.cla
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4AA3405F.htm=>(Quarantine-2)
Infected with: Trojan.Downloader.JS.LN

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4AA3405F.htm=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4AA3405F.htm=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4AA3405F.htm
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5723227F.tmp=>(Quarantine-2)=>(JAVASCRIPT)
Infected with: Exploit.PDF-JS.Gen

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5723227F.tmp=>(Quarantine-2)=>(JAVASCRIPT)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5723227F.tmp=>(Quarantine-2)=>(JAVASCRIPT)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5723227F.tmp=>(Quarantine-2)
Update failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D7A033B=>(Quarantine-2)
Infected with: Trojan.Downloader.Java.Openstream.Y

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D7A033B=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D7A033B
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\727B2DEE.exe=>(Quarantine-2)
Infected with: Trojan.Generic.2094599

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\727B2DEE.exe=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\727B2DEE.exe
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7623067A.exe=>(Quarantine-2)
Infected with: Trojan.FakeAlert.BGR

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7623067A.exe=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7623067A.exe
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7E9201FC.exe=>(Quarantine-2)
Detected with: Application.Generic.137581

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7E9201FC.exe=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7E9201FC.exe=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7E9201FC.exe
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\01507C25=>(Quarantine-2)
Detected with: Application.Adintelligence.Apropostoolbar.C

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\01507C25=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\01507C25=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\01507C25
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\017C2693=>(Quarantine-2)
Infected with: Trojan.Dropper.Agent.HG

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\017C2693=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\017C2693
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\06D102FB=>(Quarantine-2)
Infected with: Trojan.Downloader.Agent.AM

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\06D102FB=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\06D102FB
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\09370A65=>(Quarantine-2)
Infected with: Trojan.Generic.1689708

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\09370A65=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\09370A65
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\09443256=>(Quarantine-2)
Infected with: Trojan.Downloader.Small.WJ

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\09443256=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\09443256
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\18D41729=>(Quarantine-2)
Infected with: Trojan.Downloader.Agent.AM

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\18D41729=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\18D41729
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\1DB013D0=>(Quarantine-2)
Infected with: Trojan.Generic.222910

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\1DB013D0=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\1DB013D0
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\1DB33DCD=>(Quarantine-2)
Infected with: Trojan.SecondThought.BF

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\1DB33DCD=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\1DB33DCD
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\1DB667C9=>(Quarantine-2)
Infected with: Trojan.Secondthought.BG

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\1DB667C9=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\1DB667C9
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\1DBA11C5=>(Quarantine-2)
Infected with: Trojan.Downloader.Envolo.A

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\1DBA11C5=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\1DBA11C5
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\1DBD3BC2=>(Quarantine-2)
Detected with: Adware.Apropos

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\1DBD3BC2=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\1DBD3BC2
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\1DC065BE=>(Quarantine-2)
Infected with: Trojan.Downloader.Apropo.O

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\1DC065BE=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\1DC065BE
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\1DC30FBB=>(Quarantine-2)
Infected with: Trojan.Secondthought.BE

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\1DC30FBB=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\1DC30FBB
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\24682628=>(Quarantine-2)
Infected with: Trojan.Generic.222910

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\24682628=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\24682628
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\28294182=>(Quarantine-2)
Infected with: Dropped:Application.ProcKill.Jk

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\28294182=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\28294182=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\28294182
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\294C0517=>(Quarantine-2)
Infected with: Trojan.Downloader.Small.WJ

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\294C0517=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\294C0517
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\2B4D448F=>(Quarantine-2)
Infected with: Trojan.Dropper.Agent.HG

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\2B4D448F=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\2B4D448F
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\2FF86227=>(Quarantine-2)
Infected with: Trojan.Secondthought.BA

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\2FF86227=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\2FF86227
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\3B881E25=>(Quarantine-2)
Infected with: Trojan.Downloader.WinU.ST

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\3B881E25=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\3B881E25
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\3C9113FD=>(Quarantine-2)
Detected with: Adware.Generic.33750

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\3C9113FD=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\3C9113FD
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\422C5D6E=>(Quarantine-2)
Infected with: Trojan.Downloader.WinU.ST

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\422C5D6E=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\422C5D6E
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\447C3443=>(Quarantine-2)
Infected with: Trojan.Generic.2025767

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\447C3443=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\447C3443
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\44DB75DB=>(Quarantine-2)
Detected with: Adware.Generic.33750

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\44DB75DB=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\44DB75DB
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\44E81DCD=>(Quarantine-2)
Infected with: Trojan.Dropper.Surfside.A

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\44E81DCD=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\44E81DCD
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\494D2F69=>(Quarantine-2)
Infected with: Trojan.Secondthought.BG

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\494D2F69=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\494D2F69
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\49AF0325=>(Quarantine-2)
Detected with: Dialer.Asianraw.V

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\49AF0325=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\49AF0325=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\49AF0325
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\59473FEA=>(Quarantine-2)
Infected with: Trojan.Generic.1913007

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\59473FEA=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\59473FEA
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\59511294=>(Quarantine-2)=>/help.htm
Infected with: Trojan.Downloader.Js.J

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\59511294=>(Quarantine-2)=>/help.htm
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\59511294=>(Quarantine-2)
Update failed

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\6A300427=>(Quarantine-2)
Infected with: Trojan.SecondThought.BF

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\6A300427=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\6A300427
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\72521EF2=>(Quarantine-2)
Infected with: Trojan.Generic.544852

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\72521EF2=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\72521EF2
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\726A1DB3=>(Quarantine-2)
Infected with: Trojan.Dropper.Delf.JM

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\726A1DB3=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\726A1DB3
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\74D73580=>(Quarantine-2)
Infected with: Trojan.Bispy.E

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\74D73580=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\74D73580
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\783C5F94=>(Quarantine-2)
Infected with: Trojan.Generic.1913007

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\783C5F94=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\783C5F94
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\78490786=>(Quarantine-2)
Infected with: MemScan:Adware.Adlogix

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\78490786=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\78490786
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\7D834D7C=>(Quarantine-2)
Infected with: MemScan:Adware.Adlogix

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\7D834D7C=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\7D834D7C
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\7D8B4730=>(Quarantine-2)
Infected with: Trojan.Downloader.Agent.AM

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\7D8B4730=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\7D8B4730
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\7E0702A7=>(Quarantine-2)
Infected with: Trojan.Downloader.Agent.AM

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\7E0702A7=>(Quarantine-2)
Deleted

C:\Documents and Settings\Isetta\My Documents\Saved disc 2\Norton AntiVirus\Quarantine\7E0702A7
Deleted

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{6BE14ADF-BF41-4394-B992-563A028010C1}\Microsoft\Outlook Express\Tracfone.dbx=>(message 2): ONLY 3 DAYS LEFT!=>(JAVASCRIPT 1)
Infected with: Trojan.Script.3733

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{6BE14ADF-BF41-4394-B992-563A028010C1}\Microsoft\Outlook Express\Tracfone.dbx=>(message 2): ONLY 3 DAYS LEFT!=>(JAVASCRIPT 1)
Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{6BE14ADF-BF41-4394-B992-563A028010C1}\Microsoft\Outlook Express\Tracfone.dbx=>(message 2): ONLY 3 DAYS LEFT!=>(JAVASCRIPT 1)
Deleted

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{6BE14ADF-BF41-4394-B992-563A028010C1}\Microsoft\Outlook Express\Tracfone.dbx=>(message 2): ONLY 3 DAYS LEFT!
Updated

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{6BE14ADF-BF41-4394-B992-563A028010C1}\Microsoft\Outlook Express\Tracfone.dbx
Updated

C:\hp\bin\KillWind.exe
Infected with: Virtool.1992

C:\hp\bin\KillWind.exe
Deleted

Edited by happyFish, 10 July 2009 - 10:53 PM.


#2 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,815 posts

Posted 12 July 2009 - 03:53 AM

Hi,

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
You can reenable TeaTimer once your system is clean.

Next:

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#3 happyFish

happyFish

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 12 July 2009 - 10:39 PM

Done! Incidentally, it seems that firefox being redirected to other sites while in google is a common problem, other people on the forum seem to have it as well...

Anyway, here is the log that came out:


ComboFix 09-07-12.03 - Owner 07/12/2009 21:09.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1088 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\AskSearch\bin\DefaultSearch.dll
c:\recycler\NPROTECT
c:\windows\Install.txt
c:\windows\Installer\1b8f44.msi
c:\windows\Installer\1c5eb.msi
c:\windows\Installer\1cb805.msi
c:\windows\Installer\1cb80e.msi
c:\windows\Installer\31e989.msi
c:\windows\Installer\3360bc.msp
c:\windows\Installer\34251.msi
c:\windows\Installer\364fe3.msi
c:\windows\Installer\364fe9.msi
c:\windows\Installer\364fef.msi
c:\windows\Installer\364ff5.msi
c:\windows\Installer\364ffb.msi
c:\windows\Installer\365001.msi
c:\windows\Installer\365007.msi
c:\windows\Installer\3b674.msi
c:\windows\Installer\3b67c.msi
c:\windows\Installer\3b683.msi
c:\windows\Installer\3b689.msi
c:\windows\Installer\4de22.msp
c:\windows\Installer\4deeb.msp
c:\windows\Installer\888e0.msi
c:\windows\Installer\9eae5.msi
c:\windows\Installer\a20eeb.msp
c:\windows\Installer\a694e.msi
c:\windows\Installer\aa8ee.msi
c:\windows\Installer\aa8f5.msi
c:\windows\Installer\f2ed9.msi
c:\windows\jestertb.dll
c:\windows\Microsoft.NET\bdsii.bak2
c:\windows\Microsoft.NET\bdsii.ini
c:\windows\Microsoft.NET\bdsii.ini2
c:\windows\security\logs\lldrvs.bak1
c:\windows\security\logs\lldrvs.ini
c:\windows\system32\disk.dll
c:\windows\system32\drivers\hjgruiqcgrvtlo.sys
c:\windows\system32\hjgruiblkrddov.dll
c:\windows\system32\hjgruidqkydttm.dll
c:\windows\system32\hjgruikbirqlem.dat
c:\windows\system32\hjgruipkayansb.dat
c:\windows\system32\NX.exe
D:\Autorun.inf
d:\recycled\NPROTECT\NPROTECT.LOG
d:\recycled\NPROTECT\NPROTECT.LOG . . . . failed to delete

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruiaqcxstpv
-------\Legacy_MSNCACHE
-------\Legacy_SOPIDKC


((((((((((((((((((((((((( Files Created from 2009-06-13 to 2009-07-13 )))))))))))))))))))))))))))))))
.

2009-07-13 04:18 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-13 04:18 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-11 02:21 . 2009-07-11 05:06 -------- d-----w- c:\windows\BDOSCAN8
2009-07-11 00:47 . 2009-07-11 00:47 -------- d-----w- c:\program files\Trend Micro
2009-07-10 21:32 . 2009-07-10 21:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-07-10 21:32 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-10 21:32 . 2009-07-10 21:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-10 21:32 . 2009-07-10 21:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-10 21:32 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-10 20:44 . 2009-07-10 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-10 20:44 . 2009-07-10 20:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-06 19:13 . 2009-07-06 19:13 -------- d-----w- c:\program files\MSXML 4.0
2009-07-06 01:23 . 2005-01-12 22:18 82432 ----a-w- c:\windows\system32\msxml4r.dll
2009-07-06 01:23 . 2005-01-12 22:18 44544 ----a-w- c:\windows\system32\msxml4a.dll
2009-07-05 19:01 . 2007-06-06 22:51 60680 ----a-w- c:\windows\system32\CloseAll.exe
2009-06-22 04:18 . 2009-06-22 04:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-06-22 04:08 . 2009-06-22 04:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-10 21:44 . 2004-04-03 08:05 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-10 21:25 . 2007-07-04 20:57 -------- d-----w- c:\program files\SpywareDetector
2009-07-10 19:08 . 2004-09-05 18:50 -------- d-----w- c:\program files\Google
2009-07-10 19:00 . 2009-02-12 04:59 -------- d-----w- c:\program files\Morgan
2009-07-10 02:22 . 2008-12-16 22:12 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-07-08 06:11 . 2007-02-28 19:06 -------- d-----w- c:\program files\Norton SystemWorks
2009-07-04 04:24 . 2004-09-03 20:52 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-07-01 19:38 . 2009-05-29 23:43 -------- d-----w- c:\documents and settings\Owner\Application Data\dvdcss
2009-06-16 17:33 . 2004-09-19 19:17 83776 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-16 05:33 . 2004-04-02 09:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-16 05:32 . 2005-09-08 01:44 -------- d-----w- c:\program files\TLI
2009-05-07 15:32 . 2004-04-29 23:03 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2004-01-22 07:16 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2005-06-18 05:57 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-20 14:57 . 2009-04-20 14:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-04-17 12:26 . 2004-04-02 06:52 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2005-06-18 05:25 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2007-02-28 18:21 . 2007-02-28 18:21 5043712 ----a-w- c:\program files\SymADataWeb.msi
2007-02-18 16:59 . 2007-02-18 16:58 58769094 ----a-w- c:\program files\NSWS06902.exe
2007-01-28 14:13 . 2007-01-28 14:13 667753 ----a-w- c:\program files\RNPatch67.exe
2005-05-13 23:12 . 2005-05-13 23:12 217073 -csha-r- c:\windows\meta4.exe
2005-10-24 17:13 . 2005-10-24 17:13 66560 -csha-r- c:\windows\MOTA113.exe
2005-10-14 03:27 . 2005-10-14 03:27 422400 -csha-r- c:\windows\x2.64.exe
2004-09-05 01:26 . 2004-09-05 00:26 0 -csha-w- c:\windows\SMINST\HPCD.sys
2005-06-26 21:32 . 2005-06-26 21:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2006-05-03 10:06 . 2009-01-22 04:58 163328 --sh--r- c:\windows\system32\flvDX.dll
2004-01-25 06:00 . 2004-01-25 06:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2007-02-21 11:47 . 2009-01-22 04:58 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-01-22 04:58 216064 --sh--r- c:\windows\system32\nbDX.dll
2006-04-27 16:24 . 2006-04-27 16:24 2945024 --sha-r- c:\windows\system32\Smab.dll
2004-01-25 06:00 . 2004-01-25 06:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-30 00:24 325000 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-30 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-30 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-19 200704]
"Simple Star PhotoShow Media Manager"="c:\progra~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe" [2006-01-13 233472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-02-24 3026944]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-09 53096]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-21 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-02-24 753664]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\Isetta\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-2-2 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-4-6 323646]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
PopSubtract.lnk - c:\program files\InterMute\PopSubtract\PopSub.exe [2004-8-31 233472]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-30 57344]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\o:\0sdearlydelete\0SDEarlyDelete \??\c:\program files\SpywareDetector\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R2 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~2\NORTON~2\NPROTECT.EXE [11/3/2005 7:08 PM 95832]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/26/2009 11:15 AM 101936]
S2 gupdate1c9f2ef27701172;Google Update Service (gupdate1c9f2ef27701172);c:\program files\Google\Update\GoogleUpdate.exe [6/21/2009 9:08 PM 133104]
S2 mrtRate;mrtRate; [x]
S2 SDService;SDService;c:\program files\SpywareDetector\SDService.exe --> c:\program files\SpywareDetector\SDService.exe [?]
S3 Cap713x;Philips Cap713x Video Capture;c:\windows\system32\drivers\Cap713x.sys [6/18/2005 12:29 PM 685952]
S3 imhidusb;Immersion's HID USB Driver;c:\windows\system32\drivers\imhidusb.sys [9/6/2004 10:50 AM 30984]
S3 SDActMon;SDActMon;\??\c:\program files\SpywareDetector\SDActMon.sys --> c:\program files\SpywareDetector\SDActMon.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]

2009-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-22 04:08]

2009-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-22 04:08]

2009-07-11 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Isettadnv.job
- c:\progra~1\NORTON~2\NORTON~1\Navw32.exe [2005-09-24 19:13]

2009-07-06 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2006-08-03 03:05]

2009-07-12 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2005-10-27 02:48]

2009-07-08 c:\windows\Tasks\Wednesday night total checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2006-08-03 03:05]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SDActiveMonitor - c:\program files\SpywareDetector\SDActiveMonitor.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
LSP: SpSubLSP.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6x017lpl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nptgeqplugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-12 21:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3808588222-517768609-2165525081-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\BANDAI NAMCO GAMES\€’³lñ‚Ä–O¬Š *SOšHr]
"Order"=hex:08,00,00,00,02,00,00,00,f8,01,00,00,01,00,00,00,04,00,00,00,74,00,
00,00,00,00,00,00,66,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,54,00,32,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(936)
c:\windows\system32\nView.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Norton SystemWorks\Norton AntiVirus\NAVAPSVC.EXE
c:\program files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMNTOR.EXE
c:\windows\system32\nvsvc32.exe
c:\progra~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.exe
c:\windows\system32\rundll32.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\windows\system32\HPZipm12.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2009-07-13 21:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-13 04:36

Pre-Run: 47,698,886,656 bytes free
Post-Run: 48,928,489,472 bytes free

275 --- E O F --- 2009-07-06 19:14

#4 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,815 posts

Posted 14 July 2009 - 04:30 AM

Hi again,

How is the PC running now? Any continuing issues?

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#5 happyFish

happyFish

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 14 July 2009 - 02:37 PM

Pretty well, actually. Google searches on Firefox aren't redirected, and programs that didn't work before like Norton speed disk work now. I can access the computer's firewall now as well, which I haven't been able to do for months. The only problem is that dragging icons inside various windows does nothing, but this has happened before and is fixed after a restart. Aside from that, all is good. :thumbsup:

#6 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,815 posts

Posted 15 July 2009 - 07:28 AM

Hi again,

I'd just like to run one more on-line scan to pick up any leftovers:

Please run the eTrust online scan here:
http://www3.ca.com/s...sinfo/scan.aspx
Allow the ActiveX control to load, and follow the prompts to run the scan. If it finds anything select - Delete Files - when the scan has finished.

Please post the scan results here

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#7 happyFish

happyFish

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 16 July 2009 - 01:30 AM

Hello again,

I've been trying to run the online scan shown, but for some reason it does not work. After I press the 'start scan' button on the first page and answer positively on the second, the third page does not finish loading. Looking at the scanner help page on the site, it says that the scanner should download after reading and agreeing to the End-User License Agreement, but I end up on the Threat Scanner page immediately. I try pressing the start 'scan button' on that page, but nothing happens. I do keep on getting an 'Error on page' message on the bottom of the screen, and something on the left-hand side of the screen, beneath the 'scanner' and 'scanner results' tabs and above the 'Check to send results anonymously to CA' box, does not load, and only has a red x instead.

I made sure to check my security settings and lower the ones regarding ActiveX, and I did turn of spybot's teatimer, but the page still seems to refuse to load completely, and am at a loss to fix the problem. :scratchhead:

Do you have any idea what is happening?

Edited by happyFish, 16 July 2009 - 01:38 AM.


#8 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,815 posts

Posted 16 July 2009 - 03:21 AM

Hi again,

OK not to worry, let's try a different one:

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#9 happyFish

happyFish

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 16 July 2009 - 07:08 PM

Hello once more,

I tried that program and it worked perfectly.
It seems that the computer is working fine now.
Here is the log as requested:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# IEXPLORE.EXE=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.5886
# api_version=3.0.2
# EOSSerial=d7c982d3eac99f48a931373c96ce3731
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-07-16 11:05:35
# local_time=2009-07-16 04:05:35 (-0700, Mountain Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 21 100 88 291791562500
# scanned=168497
# found=9
# cleaned=9
# scan_time=9711
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\BackWeb\BackWeb Client\6.2.3.66L\Program\runner.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\Microsoft.NET\bdsii.bak2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\Microsoft.NET\bdsii.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\Microsoft.NET\bdsii.ini2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\security\logs\lldrvs.bak1.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\security\logs\lldrvs.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

#10 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,815 posts

Posted 18 July 2009 - 04:04 AM

Hi again,

It seems that the computer is working fine now.

Your logs look clean too. :)

In order to be better protected in the future, I recommend the following programs:

SpywareBlaster protects against bad ActiveX.
http://www.javacools...areblaster.html

SpywareGuard stops Spyware from being installed.
http://www.javacools...ywareguard.html

Also install the MVPS hosts file:
http://www.mvps.org/...p2002/hosts.htm
which blocks innocent looking sites that are not so innocent.

All three are very small free programs that you run once, and then just occasionally to check for updates.

Also see
How did I get Infected?

Finally, it is best to update your system regularly, to ensure you have the latest security patches from Microsoft. Update by clicking
here http://v4.windowsupdate.microsoft.com/
and following the prompts.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#11 happyFish

happyFish

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 21 July 2009 - 12:18 AM

Hello once more,

I've let the computer run for some time now, and all problems have been fixed and solved. In addition, I have downloaded those other programs in order to better protect my computer, and they are proving to be very useful.

Also, thank you very much! :) This really saved me a lot of trouble! :yahoo:

#12 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,815 posts

Posted 21 July 2009 - 07:40 AM

You're very welcome. Glad I could help. :)
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#13 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,815 posts

Posted 08 August 2009 - 06:47 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button