Please look at my hijack this log!

View previous topic View next topic Go down

Please look at my hijack this log!

Post by dapits on 10th September 2009, 6:36 pm

Here is a copy of the HijackThis log file. Malawarebytes showed a trojan vundo among other things. I cleaned them up using Malawarebytes and my system is running better but just to be on the safe side...how does it look to you?
P.S. this is a work computer.
Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:33:17 PM, on 9/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\QUICKENW\QWDLLS.EXE
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\winlogon.scr

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PDF Converter Registry Controller] "C:\Program Files\ScanSoft\PDF Converter 2.0\\RegistryController.exe"
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [BI1HelperStartUp] C:\PROGRA~1\BEACHI~1\BI1HEL~1.EXE /partner BI1
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [trioService] "C:\PROGRA~1\Freeze.com\Halloween\\trioService.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SGPUpdater] C:\Program Files\Search Guard PlusU\sgpUpdaters.exe
O4 - HKLM\..\Run: [FBSearch] C:\Program Files\Search Guard Plus\SearchGuardPlus.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: &AIM Search - [You must be registered and logged in to see this link.] Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - [You must be registered and logged in to see this link.] Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Open PDF in Word (PDF Converter 2.0) - [You must be registered and logged in to see this link.] Files\ScanSoft\PDF Converter 2.0\IEShellExt.dll /100
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [You must be registered and logged in to see this link.]
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} (PopupMenu Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} (WebWatch Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {B6C10489-FB89-11D4-93C9-006008A7EED4} (TeeChart Pro Activex control v5) - [You must be registered and logged in to see this link.]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{6566C1D6-A134-4317-B78C-0B4742417737}: NameServer = 68.1.18.237,68.1.18.30
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE84494B-7C36-4E44-BF8D-AB20DDDBD790}: NameServer = 68.1.18.237,68.1.18.30
O17 - HKLM\System\CS1\Services\Tcpip\..\{6566C1D6-A134-4317-B78C-0B4742417737}: NameServer = 68.1.18.237,68.1.18.30
O20 - AppInit_DLLs: sakoruti.dll
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
O23 - Service: Network Security Service (NSS) (O.#´) - Unknown owner - C:\WINDOWS\system32\sdkff32.exe (file missing)

--
End of file - 10290 bytes

dapits
Intermediate
Intermediate

Posts Posts : 128
Joined Joined : 2009-03-30
OS OS : XP
Points Points : 29347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Please look at my hijack this log!

Post by Belahzur on 10th September 2009, 6:59 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O20 - AppInit_DLLs: sakoruti.dll
    O23 - Service: Network Security Service (NSS) (O.#´) - Unknown owner - C:\WINDOWS\system32\sdkff32.exe (file missing)


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Please look at my hijack this log!

Post by dapits on 10th September 2009, 8:04 pm

Here is the MBAM Log:
But I had something pop up from the "virus protection software that said there was still an infection. Some type of Backdoor virus????
What do you think?


Malwarebytes' Anti-Malware 1.40
Database version: 2773
Windows 5.1.2600 Service Pack 3

9/10/2009 4:02:18 PM
mbam-log-2009-09-10 (16-02-18).txt

Scan type: Quick Scan
Objects scanned: 118382
Time elapsed: 21 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\kpits\Desktop\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\WINDOWS\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

dapits
Intermediate
Intermediate

Posts Posts : 128
Joined Joined : 2009-03-30
OS OS : XP
Points Points : 29347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Please look at my hijack this log!

Post by Belahzur on 11th September 2009, 1:23 am


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt just yet.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Please look at my hijack this log!

Post by dapits on 15th September 2009, 5:16 pm

Here is the DDS.txt
DDS (Ver_09-07-30.01) - NTFSx86
Run by kpits at 12:15:28.84 on Tue 09/15/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.42 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\kpits\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mDefault_Search_URL = [You must be registered and logged in to see this link.]
mSearch Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
{316d93a2-3459-fe7a-04a6-52d8f46fa978}
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [Smapp] c:\program files\analog devices\soundmax\Smtray.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PDF Converter Registry Controller] "c:\program files\scansoft\pdf converter 2.0\\RegistryController.exe"
mRun: [WildTangent CDA] RUNDLL32.exe "c:\program files\wildtangent\apps\cda\cdaEngine0400.dll",cdaEngineMain
mRun: [BI1HelperStartUp] c:\progra~1\beachi~1\BI1HEL~1.EXE /partner BI1
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [trioService] "c:\progra~1\freeze.com\halloween\\trioService.exe "
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SGPUpdater] c:\program files\search guard plusu\sgpUpdaters.exe
mRun: [FBSearch] c:\program files\search guard plus\SearchGuardPlus.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\billmi~1.lnk - c:\quickenw\BILLMIND.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\quickenw\QWDLLS.EXE
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: &Search
IE: &Viewpoint Search - c:\program files\viewpoint\viewpoint toolbar\ViewBar.dll/CXTSEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Open PDF in Word (PDF Converter 2.0) - c:\program files\scansoft\pdf converter 2.0\IEShellExt.dll /100
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
Trusted Zone: maconstate.edu\www
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - [You must be registered and logged in to see this link.]
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - [You must be registered and logged in to see this link.]
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - [You must be registered and logged in to see this link.]
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - [You must be registered and logged in to see this link.]
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - [You must be registered and logged in to see this link.]
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - [You must be registered and logged in to see this link.]
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - [You must be registered and logged in to see this link.]
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - [You must be registered and logged in to see this link.]
DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} - [You must be registered and logged in to see this link.]
DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} - [You must be registered and logged in to see this link.]
DPF: {B6C10489-FB89-11D4-93C9-006008A7EED4} - [You must be registered and logged in to see this link.]
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - [You must be registered and logged in to see this link.]
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
TCP: {6566C1D6-A134-4317-B78C-0B4742417737} = 68.1.18.237,68.1.18.30
TCP: {BE84494B-7C36-4E44-BF8D-AB20DDDBD790} = 68.1.18.237,68.1.18.30
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli tujalusi.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R2 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [1998-11-27 6144]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-9 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090914.003\naveng.sys [2009-9-14 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090914.003\navex15.sys [2009-9-14 1323568]
S0 irkm;irkm;c:\windows\system32\drivers\nekc.sys --> c:\windows\system32\drivers\nekc.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-8-17 133104]
S2 Norton AntiVirus Server;Norton AntiVirus Client;c:\program files\navnt\rtvscan.exe [2001-9-24 454656]
S2 STOPzilla Local Service;STOPzilla Local Service;c:\program files\stopzilla!\szntsvc.exe /service "stopzilla local service" --> c:\program files\stopzilla!\szntsvc.exe [?]

=============== Created Last 30 ================

2009-09-10 13:07 17,827 a------- c:\docume~1\alluse~1\applic~1\obonifiqu.com
2009-09-10 13:07 14,208 a------- c:\docume~1\kpits\applic~1\segucedi.reg
2009-09-10 13:07 16,159 a------- c:\windows\system32\ipufozelo.reg
2009-09-10 13:07 19,172 a------- c:\windows\hikoz.com
2009-09-10 13:07 10,300 a------- c:\windows\gyjabesu.dl
2009-09-10 13:07 13,525 a------- c:\windows\natoz.vbs
2009-09-10 13:07 17,533 a------- c:\windows\system32\nubemec.scr
2009-09-10 13:07 14,561 a------- c:\program files\common files\hukavusal.bat
2009-09-10 13:07 14,394 a------- c:\windows\system32\ozeb.com
2009-09-10 13:07 13,811 a------- c:\windows\system32\cegeto.dll
2009-09-10 13:07 10,765 a------- c:\windows\ibamoruso.vbs
2009-09-10 13:07 19,901 a------- c:\docume~1\alluse~1\applic~1\sobel.vbs
2009-09-10 13:06 19,654 a------- c:\windows\system32\ziwobizavo._dl
2009-09-10 13:06 15,016 a------- c:\docume~1\kpits\applic~1\pywec.com
2009-09-10 12:55 0 a------- c:\windows\system32\41.exe
2009-09-09 23:05 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-09 09:40 --d----- c:\program files\common files\xing shared

==================== Find3M ====================

2009-09-10 13:07 19,447 a------- c:\program files\common files\dikivuq._sy
2009-08-21 09:43 73,432 a------- c:\docume~1\kpits\applic~1\GDIPFONTCACHEV1.DAT
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-02-16 13:14 3 a------- c:\program files\xpW32sys.ico
2007-09-17 10:42 3,153,865 a------- c:\program files\pdfedit-0.3.2-cygwin.zip
2007-09-17 10:41 3,440,668 a------- c:\program files\pdfedit-0.3.2.tar.gz
2007-09-17 10:40 2,978,196 a------- c:\program files\pdfedit-0.3.2.tar.bz2
2009-04-09 13:10 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009040920090410\index.dat

============= FINISH: 12:16:26.67 ===============

dapits
Intermediate
Intermediate

Posts Posts : 128
Joined Joined : 2009-03-30
OS OS : XP
Points Points : 29347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Please look at my hijack this log!

Post by Belahzur on 15th September 2009, 5:36 pm

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :services
    irkm

    :files
    c:\progra~1\freeze.com
    c:\docume~1\alluse~1\applic~1\obonifiqu.com
    c:\docume~1\kpits\applic~1\segucedi.reg
    c:\windows\system32\ipufozelo.reg
    c:\windows\hikoz.com
    c:\windows\gyjabesu.dl
    c:\windows\natoz.vbs
    c:\windows\system32\nubemec.scr
    c:\program files\common files\hukavusal.bat
    c:\windows\system32\ozeb.com
    c:\windows\system32\cegeto.dll
    c:\windows\ibamoruso.vbs
    c:\docume~1\alluse~1\applic~1\sobel.vbs
    c:\windows\system32\ziwobizavo._dl
    c:\docume~1\kpits\applic~1\pywec.com
    c:\windows\system32\41.exe
    c:\program files\common files\dikivuq._sy

    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "trioService"=-
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
    [-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\system]
    [-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Please look at my hijack this log!

Post by dapits on 15th September 2009, 6:38 pm

Here is the log. Also, Symantec keeps telling me there is a Backdoor virus and a trojan. Can you see that on these logs?

========= SERVICES/DRIVERS ==========

Service\Driver irkm deleted successfully.
========== FILES ==========
c:\progra~1\Freeze.com\Halloween moved successfully.
c:\progra~1\Freeze.com moved successfully.
c:\docume~1\alluse~1\applic~1\obonifiqu.com moved successfully.
c:\docume~1\kpits\applic~1\segucedi.reg moved successfully.
c:\windows\system32\ipufozelo.reg moved successfully.
c:\windows\hikoz.com moved successfully.
c:\windows\gyjabesu.dl moved successfully.
c:\windows\natoz.vbs moved successfully.
c:\windows\system32\nubemec.scr moved successfully.
c:\program files\common files\hukavusal.bat moved successfully.
c:\windows\system32\ozeb.com moved successfully.
LoadLibrary failed for c:\windows\system32\cegeto.dll
c:\windows\system32\cegeto.dll NOT unregistered.
c:\windows\system32\cegeto.dll moved successfully.
c:\windows\ibamoruso.vbs moved successfully.
c:\docume~1\alluse~1\applic~1\sobel.vbs moved successfully.
c:\windows\system32\ziwobizavo._dl moved successfully.
c:\docume~1\kpits\applic~1\pywec.com moved successfully.
c:\windows\system32\41.exe moved successfully.
c:\program files\common files\dikivuq._sy moved successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\trioService deleted successfully.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\\"Notification Packages"|hex(7):73,63,65,63,6c,69,00,00 /E : value set successfully!
Registry key HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\system\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policie\ not found.

OTM by OldTimer - Version 3.0.0.6 log created on 09152009_143738

dapits
Intermediate
Intermediate

Posts Posts : 128
Joined Joined : 2009-03-30
OS OS : XP
Points Points : 29347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Please look at my hijack this log!

Post by dapits on 16th September 2009, 1:40 pm

Good Morning,
The log you requested is posted above. I just wanted to let you know that symantec found that Backdoor.Tidserv!inf again this morning.
Thanks

dapits
Intermediate
Intermediate

Posts Posts : 128
Joined Joined : 2009-03-30
OS OS : XP
Points Points : 29347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Please look at my hijack this log!

Post by Belahzur on 16th September 2009, 5:33 pm

Hello.

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Please look at my hijack this log!

Post by dapits on 16th September 2009, 7:59 pm

ComboFix 09-09-14.02 - kpits 09/16/2009 15:32.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.203 [GMT -4:00]
Running from: c:\documents and settings\kpits\Desktop\Combo-Fix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documents\igucanimu._dl
c:\documents and settings\All Users\Documents\vadedyduz.com
c:\documents and settings\kpits\Application Data\ehymotono.lib
c:\documents and settings\kpits\Application Data\jiwosa.dl
c:\documents and settings\kpits\Cookies\lumuwu.dl
c:\documents and settings\kpits\Cookies\yfaxe.dll
c:\documents and settings\kpits\Local Settings\Application Data\tydawu.scr
c:\documents and settings\kpits\Local Settings\Application Data\yrovorefe.sys
c:\documents and settings\kpits\Local Settings\Temporary Internet Files\ejoqe.pif
c:\documents and settings\kpits\Local Settings\Temporary Internet Files\ilyfohajid.dl
c:\documents and settings\kpits\Local Settings\Temporary Internet Files\jysazoh.pif
c:\documents and settings\kpits\Local Settings\Temporary Internet Files\usipegapi.lib
c:\program files\SGPSA
c:\program files\SGPSA\BHO.dll
c:\recycler\S-1-5-21-746137067-412668190-682003330-500
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\drivers\Sonyhcp.dll

.
((((((((((((((((((((((((( Files Created from 2009-08-16 to 2009-09-16 )))))))))))))))))))))))))))))))
.

2009-09-15 18:37 . 2009-09-15 18:37 -------- d-----w- C:\_OTM
2009-09-10 03:05 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-09 13:40 . 2009-09-09 13:40 -------- d-----w- c:\program files\Common Files\xing shared
2009-08-17 20:21 . 2009-08-17 20:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-08-17 20:16 . 2009-08-17 20:16 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-08-17 20:16 . 2009-08-17 20:17 -------- d-----w- c:\documents and settings\kpits\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-16 19:34 . 2007-08-20 23:26 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-16 19:02 . 2003-11-12 18:43 -------- d-----w- c:\program files\Client Bookkeeping Solution
2009-09-10 20:01 . 2009-04-09 15:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-09 13:40 . 2004-11-19 19:01 -------- d-----w- c:\program files\Common Files\Real
2009-09-03 13:08 . 2004-03-18 04:02 73432 ----a-w- c:\documents and settings\kpits\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-17 20:18 . 2005-08-12 18:09 -------- d-----w- c:\program files\Google
2009-08-05 13:43 . 2004-09-16 13:52 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2004-02-02 21:16 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 17:36 . 2009-04-09 15:20 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-04-09 15:20 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-25 09:23 . 2009-06-11 14:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-22 19:27 . 2009-07-22 19:27 -------- d-----w- c:\program files\MSECache
2009-07-17 19:01 . 2003-09-29 12:28 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 07:56 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-02-06 22:05 915456 ----a-w- c:\windows\system32\wininet.dll
2009-02-16 17:14 . 2009-02-16 17:14 3 ----a-w- c:\program files\xpW32sys.ico
2007-09-17 14:42 . 2007-09-17 14:42 3153865 ----a-w- c:\program files\pdfedit-0.3.2-cygwin.zip
2007-09-17 14:41 . 2007-09-17 14:41 3440668 ----a-w- c:\program files\pdfedit-0.3.2.tar.gz
2007-09-17 14:40 . 2007-09-17 14:40 2978196 ----a-w- c:\program files\pdfedit-0.3.2.tar.bz2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-27 90112]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"NeroCheck"="c:\windows\System32\\NeroCheck.exe" [2001-07-09 155648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PDF Converter Registry Controller"="c:\program files\ScanSoft\PDF Converter 2.0\\RegistryController.exe" [2004-04-29 98304]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-14 125632]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"SGPUpdater"="c:\program files\Search Guard PlusU\sgpUpdaters.exe" [2009-05-15 67456]
"FBSearch"="c:\program files\Search Guard Plus\SearchGuardPlus.exe" [2009-05-04 194432]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-09 198160]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Billminder.lnk - c:\quickenw\BILLMIND.EXE [2003-11-12 36864]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Quicken Startup.lnk - c:\quickenw\QWDLLS.EXE [2003-11-12 36864]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Abacast\\Abaclient.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [11/27/1998 11:57 PM 6144]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/9/2009 8:08 PM 102448]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-09-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-17 20:15]

2009-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-17 20:15]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &Search
IE: &Viewpoint Search - c:\program files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Open PDF in Word (PDF Converter 2.0) - c:\program files\ScanSoft\PDF Converter 2.0\IEShellExt.dll /100
Trusted Zone: maconstate.edu\www
TCP: {6566C1D6-A134-4317-B78C-0B4742417737} = 68.1.18.237,68.1.18.30
TCP: {BE84494B-7C36-4E44-BF8D-AB20DDDBD790} = 68.1.18.237,68.1.18.30
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} - [You must be registered and logged in to see this link.]
DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} - [You must be registered and logged in to see this link.]
DPF: {B6C10489-FB89-11D4-93C9-006008A7EED4} - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-WildTangent CDA - c:\program files\WildTangent\Apps\CDA\cdaEngine0400.dll
HKLM-Run-BI1HelperStartUp - c:\progra~1\BEACHI~1\BI1HEL~1.EXE
AddRemove-Adobe Acrobat 4.0 - c:\windows\ISUNINST.EXE -fc:\program files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu
AddRemove-HijackThis - c:\documents and settings\kpits\Local Settings\Temporary Internet Files\Content.IE5\8A9NATCI\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-16 15:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SGPUpdater = c:\program files\Search Guard PlusU\sgpUpdaters.exe??o?p" hot_icons="icons.bmp" name="Fast Browser S
FBSearch = c:\program files\Search Guard Plus\SearchGuardPlus.exe?p" hot_icons="icons.bmp" name="Fast Browser S

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-09-16 15:52
ComboFix-quarantined-files.txt 2009-09-16 19:51

Pre-Run: 19,623,833,600 bytes free
Post-Run: 21,328,011,264 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

167 --- E O F --- 2009-09-10 07:04

dapits
Intermediate
Intermediate

Posts Posts : 128
Joined Joined : 2009-03-30
OS OS : XP
Points Points : 29347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Please look at my hijack this log!

Post by Belahzur on 16th September 2009, 8:00 pm

Hello.
Nearly done now, two more logs and we should be done.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Please look at my hijack this log!

Post by dapits on 16th September 2009, 8:18 pm

Is this what you need?

Acoustica MP3 CD Burner
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Download Manager 1.2 (Remove Only)
Adobe Flash Player 10 ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0.9
Apple Software Update
AXIS Media Control Embedded
BadCopy Pro
Client Bookkeeping Solution 2007.1
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
Divar 2.00 PC Software
DivX Web Player
Fiery Link
Google Earth
Google Update Helper
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Intel(R) PRO Ethernet Adapter and Software
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 15
Java(TM) 6 Update 3
jGRASP
LiveUpdate 1.6 (Symantec Corporation)
LiveUpdate 3.1 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Publisher 2002
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSN Music Assistant
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Nero - Burning Rom
Norton AntiVirus Corporate Edition
NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers
PDF to Word 1.1
PowerDVD
Quicken 2001 Home & Business
QuickTime
RealPlayer
SAM 2003
ScanSoft PDF Converter 2.0
Search Guard Plus (My Web Tattoo)
Search Guard Plus Updater (My Web Tattoo)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Shockwave
SmartWeb Parent Web Center (SwPRMS)
Sony USB Driver
SoundMAX
Surveyor 1.0.88.243
Symantec AntiVirus
Symantec Technical Support Web Controls
The Enchanting Islands (remove only)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
Viewpoint Media Player
Windows Defender Signatures
Windows Imaging Component
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Software Update
Yahoo! Toolbar

dapits
Intermediate
Intermediate

Posts Posts : 128
Joined Joined : 2009-03-30
OS OS : XP
Points Points : 29347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Please look at my hijack this log!

Post by Belahzur on 16th September 2009, 11:47 pm

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    J2SE Runtime Environment 5.0 Update 2
    J2SE Runtime Environment 5.0 Update 6
    Java 2 Runtime Environment, SE v1.4.2_03
    Java(TM) 6 Update 15
    Java(TM) 6 Update 3
    Search Guard Plus (My Web Tattoo)
    Search Guard Plus Updater (My Web Tattoo)
    Viewpoint Media Player

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Please look at my hijack this log!

Post by dapits on 17th September 2009, 1:58 pm

It is doing much better. This morning after the scan it didn't find all of those Trojans or Backdoor things Hooray!
So what do you think?

dapits
Intermediate
Intermediate

Posts Posts : 128
Joined Joined : 2009-03-30
OS OS : XP
Points Points : 29347
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Please look at my hijack this log!

Post by Belahzur on 17th September 2009, 2:00 pm

I think this should be fine as long you as keep Symantec updated and stay away from P2P and bad websites.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Please look at my hijack this log!

Post by dapits on 17th September 2009, 2:04 pm

Thanks Belahzur! You rock!

dapits
Intermediate
Intermediate

Posts Posts : 128
Joined Joined : 2009-03-30
OS OS : XP
Points Points : 29347
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum