1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Explorer.exe, adware, and awtsrpp.dll problem!

Discussion in 'Virus & Other Malware Removal' started by IamJack, Nov 2, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. IamJack

    IamJack Thread Starter

    Joined:
    Nov 2, 2007
    Messages:
    7
    Recently my computer is bringing me a lot of problems. My EXPLORER.exe seem to always close by itself and thus my task bar and desktop icon disappears. I tried to fix this problem by running EXPLORER.exe through Task Manager, but it crashes again soon after. Also I have been receiving random pop ups which leads me to anti-virus programs. Also there is this "awtsrpp.dll" from WINDOWS\system32 that my Norton AntiVirus keeps detecting and yet it is unable to fix the problem. When I try to go into system32 and delete this .dll it says something like "cannot be deleted because it's being used by user."

    Help please?!!! :(

    Here is my HJ Log:
    Logfile of HijackThis v1.99.1
    Scan saved at 6:52:52 PM, on 11/2/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    D:\Program Files\Norton AntiVirus\navapsvc.exe
    D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\EXPLORER.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HijackThis\HijackThis.exe

    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [00000ee1] rundll32.exe "C:\WINDOWS\system32\jlqmnbsg.dll",b
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com.../en/x86/MuCatalogWebControl.cab?1192952756015
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1192962793484
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
     
  2. IamJack

    IamJack Thread Starter

    Joined:
    Nov 2, 2007
    Messages:
    7
    Please help :eek: ~~~~
     
  3. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Welcome to TSG :)


    Download Combofix and save it to your desktop.

    **Note: It is important that it is saved directly to your desktop**

    --------------------------------------------------------------------

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    --------------------------------------------------------------------

    Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    Note:
    Do not mouseclick combofix's window while it's running. That may cause it to stall
     
  4. IamJack

    IamJack Thread Starter

    Joined:
    Nov 2, 2007
    Messages:
    7
    I did as I was told and here is my ComboFix Log:

    ComboFix 07-11-04.1 - JS 2007-11-03 12:37:15.1 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.245 [GMT -7:00]
    Running from: C:\Documents and Settings\JS\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\check_LSA7.txt
    C:\Documents and Settings\JS\Application Data\ICROSO~1.NET
    C:\Program Files\Common Files\Yazzle1848OinAdmin.exe
    C:\Program Files\Common Files\Yazzle1848OinUninstaller.exe
    C:\Program Files\Temporary
    C:\Program Files\ymbols~1
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\retadpu1000520.exe
    C:\WINDOWS\SYSTEM32\bahyxuyu.ini
    C:\WINDOWS\SYSTEM32\cydpifwe.ini
    C:\WINDOWS\system32\ewfipdyc.dll
    C:\WINDOWS\SYSTEM32\lnnmp.bak1
    C:\WINDOWS\SYSTEM32\lnnmp.bak2
    C:\WINDOWS\SYSTEM32\lnnmp.ini
    C:\WINDOWS\SYSTEM32\lnnmp.ini2
    C:\WINDOWS\SYSTEM32\lnnmp.tmp
    C:\WINDOWS\system32\pmnnl.dll
    C:\WINDOWS\system32\pstbgypu.dll
    C:\WINDOWS\system32\racle~1
    C:\WINDOWS\SYSTEM32\tlvpraox.ini
    C:\WINDOWS\system32\uplqtbdv.dll
    C:\WINDOWS\SYSTEM32\upygbtsp.ini
    C:\WINDOWS\system32\uyuxyhab.dll
    C:\WINDOWS\SYSTEM32\vdbtqlpu.ini
    C:\WINDOWS\system32\xoarpvlt.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_DOMAINSERVICE


    ((((((((((((((((((((((((( Files Created from 2007-10-04 to 2007-11-04 )))))))))))))))))))))))))))))))
    .

    2007-11-03 12:34 87,616 --a------ C:\WINDOWS\SYSTEM32\pfjnhubb.dll
    2007-11-03 12:34 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-11-02 17:49 66,048 --a------ C:\WINDOWS\SYSTEM32\dllcache\s3legacy.dll
    2007-11-02 17:19 <DIR> d-------- C:\WINDOWS\pss
    2007-11-02 17:18 86,080 --a------ C:\WINDOWS\SYSTEM32\jlqmnbsg.dll
    2007-10-31 18:13 <DIR> d-------- C:\Program Files\Common Files\InstallShield
    2007-10-31 17:06 31,616 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbccgp.sys
    2007-10-31 17:06 31,616 --a------ C:\WINDOWS\SYSTEM32\dllcache\usbccgp.sys
    2007-10-31 17:06 26,496 --a------ C:\WINDOWS\SYSTEM32\dllcache\usbstor.sys
    2007-10-27 21:39 <DIR> d-------- C:\Program Files\Common Files\Adobe
    2007-10-24 14:54 <DIR> d-------- C:\Program Files\Enigma Software Group
    2007-10-23 07:49 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
    2007-10-23 07:49 207,736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
    2007-10-23 00:33 32,592 --a------ C:\WINDOWS\SYSTEM32\msonpmon.dll
    2007-10-23 00:20 <DIR> d-------- C:\Program Files\MSBuild
    2007-10-23 00:20 <DIR> d-------- C:\Program Files\Microsoft Works
    2007-10-23 00:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2007-10-23 00:05 <DIR> dr-h----- C:\MSOCache
    2007-10-23 00:01 <DIR> d-------- C:\Program Files\PowerISO
    2007-10-22 21:35 <DIR> d-------- C:\Documents and Settings\JS\Application Data\Viewpoint
    2007-10-22 18:25 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Symantec
    2007-10-22 17:42 <DIR> d-------- C:\Program Files\SymNetDrv
    2007-10-22 17:23 4,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symlcbrd.sys
    2007-10-22 17:22 <DIR> d-------- C:\Documents and Settings\JS\Application Data\Symantec
    2007-10-22 17:22 124,016 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
    2007-10-22 17:22 91,904 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
    2007-10-22 17:21 <DIR> d-------- C:\Program Files\Symantec
    2007-10-22 16:19 <DIR> d-------- C:\Program Files\Lavasoft
    2007-10-22 16:07 <DIR> d-------- C:\Documents and Settings\JS\Incomplete
    2007-10-22 16:07 <DIR> d-------- C:\Documents and Settings\JS\Application Data\LimeWire
    2007-10-21 23:21 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
    2007-10-21 19:43 <DIR> d-------- C:\WINDOWS\Sun
    2007-10-21 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
    2007-10-21 19:20 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
    2007-10-21 19:16 <DIR> d-------- C:\Program Files\DAEMON Tools
    2007-10-21 19:16 223,128 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\dtscsi.sys
    2007-10-21 19:13 643,072 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sptd.sys
    2007-10-21 19:13 96,256 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sptd6589.sys
    2007-10-21 18:04 <DIR> d-------- C:\Program Files\Java
    2007-10-21 18:02 <DIR> d-------- C:\Program Files\LimeWire
    2007-10-21 18:02 <DIR> d-------- C:\Program Files\Common Files\Java
    2007-10-21 18:02 34,304 --------- C:\WINDOWS\SYSTEM32\awtsrpp.dll
    2007-10-21 15:14 163,840 --a------ C:\WINDOWS\SYSTEM32\igfxres.dll
    2007-10-21 15:01 <DIR> d-------- C:\Intel
    2007-10-21 14:46 <DIR> d-------- C:\Documents and Settings\JS\Application Data\acccore
    2007-10-21 14:45 <DIR> d-------- C:\Program Files\Viewpoint
    2007-10-21 14:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
    2007-10-21 14:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
    2007-10-21 14:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
    2007-10-21 14:44 <DIR> d-------- C:\Program Files\Common Files\AOL
    2007-10-21 14:44 <DIR> d-------- C:\Program Files\AIM6
    2007-10-21 14:43 0 --a------ C:\WINDOWS\nsreg.dat
    2007-10-21 14:31 <DIR> d-------- C:\WINDOWS\provisioning
    2007-10-21 14:31 <DIR> d-------- C:\WINDOWS\peernet
    2007-10-21 14:29 <DIR> d-------- C:\WINDOWS\ServicePackFiles
    2007-10-21 14:24 <DIR> d-------- C:\WINDOWS\EHome
    2007-10-21 09:19 11,776 --------- C:\WINDOWS\SYSTEM32\spnpinst.exe
    2007-10-21 09:19 11,776 --a------ C:\WINDOWS\SYSTEM32\dllcache\spnpinst.exe
    2007-10-21 09:19 4,569 --------- C:\WINDOWS\SYSTEM32\secupd.dat
    2007-10-21 09:19 4,569 --a------ C:\WINDOWS\SYSTEM32\dllcache\secupd.dat
    2007-10-21 08:36 1,082,368 --a------ C:\WINDOWS\SYSTEM32\esent.dll
    2007-10-21 08:36 1,082,368 --a------ C:\WINDOWS\SYSTEM32\dllcache\esent.dll
    2007-10-21 08:28 12,160 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mouhid.sys
    2007-10-21 08:28 12,160 --a------ C:\WINDOWS\SYSTEM32\dllcache\mouhid.sys
    2007-10-21 08:28 9,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hidusb.sys
    2007-10-21 08:28 9,600 --a------ C:\WINDOWS\SYSTEM32\dllcache\hidusb.sys
    2007-10-21 03:39 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
    2007-10-21 03:39 <DIR> d--h----- C:\WINDOWS\$hf_mig$
    2007-10-21 03:39 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
    2007-10-21 03:34 549,720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
    2007-10-21 03:34 549,720 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuapi.dll
    2007-10-21 03:34 325,976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
    2007-10-21 03:34 325,976 --a------ C:\WINDOWS\SYSTEM32\dllcache\wucltui.dll
    2007-10-21 03:34 43,352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
    2007-10-21 03:34 33,624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
    2007-10-21 03:34 33,624 --a------ C:\WINDOWS\SYSTEM32\dllcache\wups.dll
    2007-10-21 03:33 <DIR> d---s---- C:\Documents and Settings\JS\UserData
    2007-10-21 03:32 <DIR> d---s---- C:\WINDOWS\SYSTEM32\Microsoft
    2007-10-21 03:31 <DIR> d--hs---- C:\WINDOWS\Installer
    2007-10-21 03:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\xircom
    2007-10-21 03:24 <DIR> d-------- C:\Program Files\microsoft frontpage
    2007-10-21 03:24 14,336 --a------ C:\WINDOWS\SYSTEM32\dllcache\iisreset.exe
    2007-10-21 03:24 6,144 --a------ C:\WINDOWS\SYSTEM32\dllcache\ftpsapi2.dll
    2007-10-21 03:24 5,632 --a------ C:\WINDOWS\SYSTEM32\dllcache\iisrstap.dll
    2007-10-21 03:23 <DIR> d--hs---- C:\Documents and Settings\All Users\DRM
    2007-10-21 03:15 <DIR> dr------- C:\Documents and Settings\All Users\Documents
    2007-10-21 03:15 <DIR> d-------- C:\Documents and Settings
    2007-10-21 02:59 <DIR> d-------- C:\WINDOWS\setup
    2007-10-21 02:58 <DIR> d--h----- C:\WINDOWS\NetHood
    2007-10-21 02:57 <DIR> d-------- C:\WINDOWS\SYSTEM\CatRoot
    2007-10-21 02:57 <DIR> d---s---- C:\WINDOWS\Cookies
    2007-10-21 02:57 <DIR> d-------- C:\Program Files\DirectX
    2007-10-21 02:56 <DIR> d-------- C:\WINDOWS\Start Menu
    2007-10-21 02:56 <DIR> d-------- C:\WINDOWS\SendTo
    2007-10-21 02:56 <DIR> d--h----- C:\WINDOWS\Recent
    2007-10-21 02:56 <DIR> d--h----- C:\WINDOWS\PIF
    2007-10-21 02:56 <DIR> d---s---- C:\WINDOWS\Favorites
    2007-10-21 02:56 <DIR> d---s---- C:\WINDOWS\Downloaded Program Files
    2007-10-21 02:55 <DIR> d-------- C:\WINDOWS\Desktop
    2007-10-21 02:55 <DIR> d-------- C:\WINDOWS\All Users

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-10-21 10:58 46,080 --sha-w C:\VIDEOROM.BIN
    2007-10-21 10:57 266 --sh--w C:\Program Files\desktop.ini
    2007-10-21 10:57 11,025 ---h--w C:\Program Files\folder.htt
    2007-10-21 10:50 7,809 --sh--w C:\SUHDLOG.DAT
    2007-10-21 10:46 --------- d-----w C:\Program Files\CHAT
    2007-10-21 10:46 --------- d-----r C:\Program Files\Accessories
    2007-09-10 19:10 1,060,864 ----a-w C:\WINDOWS\SYSTEM32\mfc71.dll
    2007-09-10 19:09 348,160 ----a-w C:\WINDOWS\SYSTEM32\msvcr71.dll
    2007-09-10 19:08 1,047,552 ----a-w C:\WINDOWS\SYSTEM32\mfc71u.dll
    2007-09-10 19:07 499,712 ----a-w C:\WINDOWS\SYSTEM32\msvcp71.dll
    2007-09-10 18:42 89,088 ----a-w C:\WINDOWS\SYSTEM32\atl71.dll
    2007-08-22 14:12 96,256 ----a-w C:\WINDOWS\SYSTEM32\dllcache\inseng.dll
    2007-08-22 14:12 658,944 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
    2007-08-22 14:12 615,424 ----a-w C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
    2007-08-22 14:12 55,808 ----a-w C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
    2007-08-22 14:12 532,480 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
    2007-08-22 14:12 474,112 ----a-w C:\WINDOWS\SYSTEM32\dllcache\shlwapi.dll
    2007-08-22 14:12 449,024 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
    2007-08-22 14:12 39,424 ----a-w C:\WINDOWS\SYSTEM32\dllcache\pngfilt.dll
    2007-08-22 14:12 357,888 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtmsft.dll
    2007-08-22 14:12 3,058,176 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
    2007-08-22 14:12 251,392 ----a-w C:\WINDOWS\SYSTEM32\dllcache\iepeers.dll
    2007-08-22 14:12 205,312 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtrans.dll
    2007-08-22 14:12 16,384 ----a-w C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
    2007-08-22 14:12 151,040 ----a-w C:\WINDOWS\SYSTEM32\dllcache\cdfview.dll
    2007-08-22 14:12 146,432 ----a-w C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
    2007-08-22 14:12 1,494,528 ----a-w C:\WINDOWS\SYSTEM32\dllcache\shdocvw.dll
    2007-08-22 14:12 1,054,208 ----a-w C:\WINDOWS\SYSTEM32\dllcache\danim.dll
    2007-08-22 14:12 1,022,976 ----a-w C:\WINDOWS\SYSTEM32\dllcache\browseui.dll
    2007-08-21 11:30 18,432 ----a-w C:\WINDOWS\SYSTEM32\dllcache\iedw.exe
    2007-08-21 07:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
    2007-08-21 07:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\dllcache\inetcomm.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{232D2677-68EE-4FA1-B988-279EBC8969ED}]
    2007-10-21 18:02 34304 --------- C:\WINDOWS\system32\awtsrpp.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A9E3F5C-95F3-9474-BB59-8F8A378229C3}]
    C:\WINDOWS\system32\zgh.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FCF3A59-C6F6-9625-BB59-8F8A378228C7}]
    C:\WINDOWS\system32\hcmc.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 12:00]
    "PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 12:00]
    "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32]
    "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-10-22 17:42]
    "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 22:32]
    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 08:59]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
    "00000ee1"="C:\WINDOWS\system32\pfjnhubb.dll" [2007-11-03 12:34]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{232D2677-68EE-4FA1-B988-279EBC8969ED}"= C:\WINDOWS\system32\awtsrpp.dll [2007-10-21 18:02 34304]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsrpp]
    awtsrpp.dll 2007-10-21 18:02 34304 C:\WINDOWS\SYSTEM32\awtsrpp.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^JS^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=C:\Documents and Settings\JS\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    C:\WINDOWS\system32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

    S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys
    S3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-03 04:00:02 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - JS.job"
    - D:\PROGRA~1\NORTON~1\Navw32.exe
    .
    **************************************************************************

    catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-04 12:46:33
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-04 12:51:49 - machine was rebooted
    .
    --- E O F ---







    New HighJack Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:54:21 PM, on 11/4/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    D:\Program Files\Norton AntiVirus\navapsvc.exe
    D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HijackThis\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {232D2677-68EE-4FA1-B988-279EBC8969ED} - C:\WINDOWS\system32\awtsrpp.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {8A9E3F5C-95F3-9474-BB59-8F8A378229C3} - C:\WINDOWS\system32\zgh.dll (file missing)
    O2 - BHO: (no name) - {8FCF3A59-C6F6-9625-BB59-8F8A378228C7} - C:\WINDOWS\system32\hcmc.dll (file missing)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [00000ee1] rundll32.exe "C:\WINDOWS\system32\pfjnhubb.dll",b
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com.../en/x86/MuCatalogWebControl.cab?1192952756015
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1192962793484
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - Winlogon Notify: awtsrpp - C:\WINDOWS\SYSTEM32\awtsrpp.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe



    Thanks.
     
  5. IamJack

    IamJack Thread Starter

    Joined:
    Nov 2, 2007
    Messages:
    7
    any help?
     
  6. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Sorry for the delay, i had some problems upgrading my OS. I lost some stuff and trying to replace them.


    Download the attached file CFScript.txt to your Desktop


    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at "C:\ComboFix.txt"

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall



    Note:Please do not use this script on another computer, you may damage the system. The script is made especially for this computer only!!!!
     

    Attached Files:

  7. IamJack

    IamJack Thread Starter

    Joined:
    Nov 2, 2007
    Messages:
    7
    Here's the new log

    ComboFix 07-11-04.1 - JS 2007-11-05 23:03:55.2 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.252 [GMT -8:00]
    Running from: C:\Documents and Settings\JS\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\JS\Desktop\CFScript.txt
    * Created a new restore point

    FILE::
    C:\WINDOWS\SYSTEM32\awtsrpp.dll
    C:\WINDOWS\SYSTEM32\jlqmnbsg.dll
    C:\WINDOWS\SYSTEM32\pfjnhubb.dll
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\SYSTEM32\awtsrpp.dll
    C:\WINDOWS\system32\awvtr.dll
    C:\WINDOWS\SYSTEM32\jlqmnbsg.dll
    C:\WINDOWS\SYSTEM32\pfjnhubb.dll
    C:\WINDOWS\SYSTEM32\rtvwa.bak1
    C:\WINDOWS\SYSTEM32\rtvwa.ini
    C:\WINDOWS\system32\rwanvjhs.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_DOMAINSERVICE
    -------\DomainService


    ((((((((((((((((((((((((( Files Created from 2007-10-06 to 2007-11-06 )))))))))))))))))))))))))))))))
    .

    2007-11-05 15:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
    2007-11-05 14:53 86,080 --a------ C:\WINDOWS\SYSTEM32\bfhodwuh.dll
    2007-11-05 14:50 78,912 --a------ C:\WINDOWS\SYSTEM32\idcgmfvv.dll
    2007-11-04 16:19 <DIR> d-------- C:\Program Files\DivX
    2007-11-04 16:18 684 --a------ C:\WINDOWS\mozver.dat
    2007-11-03 12:34 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-11-02 17:49 66,048 --a------ C:\WINDOWS\SYSTEM32\dllcache\s3legacy.dll
    2007-11-02 17:19 <DIR> d-------- C:\WINDOWS\pss
    2007-10-31 18:13 <DIR> d-------- C:\Program Files\Common Files\InstallShield
    2007-10-31 17:06 31,616 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbccgp.sys
    2007-10-31 17:06 31,616 --a------ C:\WINDOWS\SYSTEM32\dllcache\usbccgp.sys
    2007-10-31 17:06 26,496 --a------ C:\WINDOWS\SYSTEM32\dllcache\usbstor.sys
    2007-10-27 21:39 <DIR> d-------- C:\Program Files\Common Files\Adobe
    2007-10-24 14:54 <DIR> d-------- C:\Program Files\Enigma Software Group
    2007-10-23 07:49 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
    2007-10-23 07:49 207,736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
    2007-10-23 00:33 32,592 --a------ C:\WINDOWS\SYSTEM32\msonpmon.dll
    2007-10-23 00:20 <DIR> d-------- C:\Program Files\MSBuild
    2007-10-23 00:20 <DIR> d-------- C:\Program Files\Microsoft Works
    2007-10-23 00:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2007-10-23 00:05 <DIR> dr-h----- C:\MSOCache
    2007-10-23 00:01 <DIR> d-------- C:\Program Files\PowerISO
    2007-10-22 21:35 <DIR> d-------- C:\Documents and Settings\JS\Application Data\Viewpoint
    2007-10-22 18:25 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Symantec
    2007-10-22 17:42 <DIR> d-------- C:\Program Files\SymNetDrv
    2007-10-22 17:23 4,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symlcbrd.sys
    2007-10-22 17:22 <DIR> d-------- C:\Documents and Settings\JS\Application Data\Symantec
    2007-10-22 17:22 124,016 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
    2007-10-22 17:22 91,904 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
    2007-10-22 17:21 <DIR> d-------- C:\Program Files\Symantec
    2007-10-22 16:19 <DIR> d-------- C:\Program Files\Lavasoft
    2007-10-22 16:07 <DIR> d-------- C:\Documents and Settings\JS\Incomplete
    2007-10-22 16:07 <DIR> d-------- C:\Documents and Settings\JS\Application Data\LimeWire
    2007-10-21 23:21 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
    2007-10-21 19:43 <DIR> d-------- C:\WINDOWS\Sun
    2007-10-21 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
    2007-10-21 19:20 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
    2007-10-21 19:16 <DIR> d-------- C:\Program Files\DAEMON Tools
    2007-10-21 19:16 223,128 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\dtscsi.sys
    2007-10-21 19:13 643,072 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sptd.sys
    2007-10-21 19:13 96,256 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sptd6589.sys
    2007-10-21 18:04 <DIR> d-------- C:\Program Files\Java
    2007-10-21 18:02 <DIR> d-------- C:\Program Files\LimeWire
    2007-10-21 18:02 <DIR> d-------- C:\Program Files\Common Files\Java
    2007-10-21 15:14 163,840 --a------ C:\WINDOWS\SYSTEM32\igfxres.dll
    2007-10-21 15:01 <DIR> d-------- C:\Intel
    2007-10-21 14:46 <DIR> d-------- C:\Documents and Settings\JS\Application Data\acccore
    2007-10-21 14:45 <DIR> d-------- C:\Program Files\Viewpoint
    2007-10-21 14:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
    2007-10-21 14:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
    2007-10-21 14:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
    2007-10-21 14:44 <DIR> d-------- C:\Program Files\Common Files\AOL
    2007-10-21 14:44 <DIR> d-------- C:\Program Files\AIM6
    2007-10-21 14:43 0 --a------ C:\WINDOWS\nsreg.dat
    2007-10-21 14:31 <DIR> d-------- C:\WINDOWS\provisioning
    2007-10-21 14:31 <DIR> d-------- C:\WINDOWS\peernet
    2007-10-21 14:29 <DIR> d-------- C:\WINDOWS\ServicePackFiles
    2007-10-21 14:24 <DIR> d-------- C:\WINDOWS\EHome
    2007-10-21 09:19 11,776 --------- C:\WINDOWS\SYSTEM32\spnpinst.exe
    2007-10-21 09:19 11,776 --a------ C:\WINDOWS\SYSTEM32\dllcache\spnpinst.exe
    2007-10-21 09:19 4,569 --------- C:\WINDOWS\SYSTEM32\secupd.dat
    2007-10-21 09:19 4,569 --a------ C:\WINDOWS\SYSTEM32\dllcache\secupd.dat
    2007-10-21 08:36 1,082,368 --a------ C:\WINDOWS\SYSTEM32\esent.dll
    2007-10-21 08:36 1,082,368 --a------ C:\WINDOWS\SYSTEM32\dllcache\esent.dll
    2007-10-21 08:28 12,160 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mouhid.sys
    2007-10-21 08:28 12,160 --a------ C:\WINDOWS\SYSTEM32\dllcache\mouhid.sys
    2007-10-21 08:28 9,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hidusb.sys
    2007-10-21 08:28 9,600 --a------ C:\WINDOWS\SYSTEM32\dllcache\hidusb.sys
    2007-10-21 03:39 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
    2007-10-21 03:39 <DIR> d--h----- C:\WINDOWS\$hf_mig$
    2007-10-21 03:39 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
    2007-10-21 03:34 549,720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
    2007-10-21 03:34 549,720 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuapi.dll
    2007-10-21 03:34 325,976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
    2007-10-21 03:34 325,976 --a------ C:\WINDOWS\SYSTEM32\dllcache\wucltui.dll
    2007-10-21 03:34 43,352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
    2007-10-21 03:34 33,624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
    2007-10-21 03:34 33,624 --a------ C:\WINDOWS\SYSTEM32\dllcache\wups.dll
    2007-10-21 03:33 <DIR> d---s---- C:\Documents and Settings\JS\UserData
    2007-10-21 03:32 <DIR> d---s---- C:\WINDOWS\SYSTEM32\Microsoft
    2007-10-21 03:31 <DIR> d--hs---- C:\WINDOWS\Installer
    2007-10-21 03:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\xircom
    2007-10-21 03:24 <DIR> d-------- C:\Program Files\microsoft frontpage
    2007-10-21 03:24 14,336 --a------ C:\WINDOWS\SYSTEM32\dllcache\iisreset.exe
    2007-10-21 03:24 6,144 --a------ C:\WINDOWS\SYSTEM32\dllcache\ftpsapi2.dll
    2007-10-21 03:24 5,632 --a------ C:\WINDOWS\SYSTEM32\dllcache\iisrstap.dll
    2007-10-21 03:23 <DIR> d--hs---- C:\Documents and Settings\All Users\DRM
    2007-10-21 03:15 <DIR> dr------- C:\Documents and Settings\All Users\Documents
    2007-10-21 03:15 <DIR> d-------- C:\Documents and Settings
    2007-10-21 02:59 <DIR> d-------- C:\WINDOWS\setup
    2007-10-21 02:58 <DIR> d--h----- C:\WINDOWS\NetHood
    2007-10-21 02:57 <DIR> d-------- C:\WINDOWS\SYSTEM\CatRoot
    2007-10-21 02:57 <DIR> d---s---- C:\WINDOWS\Cookies
    2007-10-21 02:57 <DIR> d-------- C:\Program Files\DirectX
    2007-10-21 02:56 <DIR> d-------- C:\WINDOWS\Start Menu
    2007-10-21 02:56 <DIR> d-------- C:\WINDOWS\SendTo
    2007-10-21 02:56 <DIR> d--h----- C:\WINDOWS\Recent
    2007-10-21 02:56 <DIR> d--h----- C:\WINDOWS\PIF
    2007-10-21 02:56 <DIR> d---s---- C:\WINDOWS\Favorites
    2007-10-21 02:56 <DIR> d---s---- C:\WINDOWS\Downloaded Program Files

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-10-21 10:58 46,080 --sha-w C:\VIDEOROM.BIN
    2007-10-21 10:57 266 --sh--w C:\Program Files\desktop.ini
    2007-10-21 10:57 11,025 ---h--w C:\Program Files\folder.htt
    2007-10-21 10:50 7,809 --sh--w C:\SUHDLOG.DAT
    2007-10-21 10:46 --------- d-----w C:\Program Files\CHAT
    2007-10-21 10:46 --------- d-----r C:\Program Files\Accessories
    2007-09-10 19:10 1,060,864 ----a-w C:\WINDOWS\SYSTEM32\mfc71.dll
    2007-09-10 19:09 348,160 ----a-w C:\WINDOWS\SYSTEM32\msvcr71.dll
    2007-09-10 19:08 1,047,552 ----a-w C:\WINDOWS\SYSTEM32\mfc71u.dll
    2007-09-10 19:07 499,712 ----a-w C:\WINDOWS\SYSTEM32\msvcp71.dll
    2007-09-10 18:42 89,088 ----a-w C:\WINDOWS\SYSTEM32\atl71.dll
    2007-08-22 14:12 96,256 ----a-w C:\WINDOWS\SYSTEM32\dllcache\inseng.dll
    2007-08-22 14:12 658,944 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
    2007-08-22 14:12 615,424 ----a-w C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
    2007-08-22 14:12 55,808 ----a-w C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
    2007-08-22 14:12 532,480 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
    2007-08-22 14:12 474,112 ----a-w C:\WINDOWS\SYSTEM32\dllcache\shlwapi.dll
    2007-08-22 14:12 449,024 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
    2007-08-22 14:12 39,424 ----a-w C:\WINDOWS\SYSTEM32\dllcache\pngfilt.dll
    2007-08-22 14:12 357,888 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtmsft.dll
    2007-08-22 14:12 3,058,176 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
    2007-08-22 14:12 251,392 ----a-w C:\WINDOWS\SYSTEM32\dllcache\iepeers.dll
    2007-08-22 14:12 205,312 ----a-w C:\WINDOWS\SYSTEM32\dllcache\dxtrans.dll
    2007-08-22 14:12 16,384 ----a-w C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
    2007-08-22 14:12 151,040 ----a-w C:\WINDOWS\SYSTEM32\dllcache\cdfview.dll
    2007-08-22 14:12 146,432 ----a-w C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
    2007-08-22 14:12 1,494,528 ----a-w C:\WINDOWS\SYSTEM32\dllcache\shdocvw.dll
    2007-08-22 14:12 1,054,208 ----a-w C:\WINDOWS\SYSTEM32\dllcache\danim.dll
    2007-08-22 14:12 1,022,976 ----a-w C:\WINDOWS\SYSTEM32\dllcache\browseui.dll
    2007-08-21 11:30 18,432 ----a-w C:\WINDOWS\SYSTEM32\dllcache\iedw.exe
    2007-08-21 07:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
    2007-08-21 07:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\dllcache\inetcomm.dll
    .

    ((((((((((((((((((((((((((((( [email protected]_12.50.16.45 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2007-03-13 17:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
    + 2007-03-13 18:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
    + 2007-11-05 00:50:16 65,536 ----a-r C:\WINDOWS\Installer\{786547F9-59BB-4FA3-B2D8-327FF1F14870}\ARPPRODUCTICON.exe
    + 2007-10-20 00:56:04 1,044,480 ----a-w C:\WINDOWS\SYSTEM32\libdivx.dll
    + 2007-10-20 00:56:04 200,704 ----a-w C:\WINDOWS\SYSTEM32\ssldivx.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7d036a0d-629c-400a-9597-b9bc8d244d11}]
    2007-11-05 14:50 78912 --a------ C:\WINDOWS\system32\idcgmfvv.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 12:00]
    "PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 12:00]
    "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32]
    "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-10-22 17:42]
    "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 22:32]
    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 08:59]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^JS^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=C:\Documents and Settings\JS\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    C:\WINDOWS\system32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

    S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys
    S3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-03 04:00:02 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - JS.job"
    - D:\PROGRA~1\NORTON~1\Navw32.exe
    .
    **************************************************************************

    catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-05 23:08:11
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-05 23:09:43 - machine was rebooted
    C:\ComboFix2.txt ... 2007-11-04 12:51
    .
    --- E O F ---
     
  8. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Download the attached file CFScript.txt to your Desktop


    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at "C:\ComboFix.txt"

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall



    Note:Please do not use this script on another computer, you may damage the system. The script is made especially for this computer only!!!!


    ===================================

    Please download and install SUPERAntiSpyware
    • Load SUPERAntiSpyware and click the Check for Updates button.
    • Once the update has finished, exit SUPERAntiSpyware. Please do NOT run a scan yet!

    IMPORTANT: Do NOT open any other windows or programs while SUPERAntiSpyware is scanning, it may interfere with the scanning process.
    • Open SUPERAntiSpyware and click the Scan your Computer button.
    • Check Perform Complete Scan and then click Next.
    • SUPERAntiSpyware will now scan your computer and when itÂ’s finished it will list all the infections it has found.
    • Make sure that they all have a check next to them, and then click Next.
    • Click Finish and you will be taken back to the main interface.
    • It could be possible that it will ask you to reboot your computer in order to delete some files after reboot.
    • I'll need a log afterwards of what has been found.
    • To get the log, click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.
    • Please post the results of the SUPERAntiSpyware log and Hijackthis login your next reply.
     

    Attached Files:

  9. IamJack

    IamJack Thread Starter

    Joined:
    Nov 2, 2007
    Messages:
    7
    Here is the AntiSpyware Log:

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 11/07/2007 at 03:41 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3338
    Trace Rules Database Version: 1339

    Scan type : Complete Scan
    Total Scan Time : 00:35:28

    Memory items scanned : 274
    Memory threats detected : 0
    Registry items scanned : 4932
    Registry threats detected : 0
    File items scanned : 37674
    File threats detected : 82

    Adware.Tracking Cookie
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][2].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][2].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][3].txt
    C:\Documents and Settings\JS\Cookies\[email protected][2].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][3].txt
    C:\Documents and Settings\JS\Cookies\[email protected][2].txt
    C:\Documents and Settings\JS\Cookies\[email protected][3].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][2].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][3].txt
    C:\Documents and Settings\JS\Cookies\[email protected][2].txt
    C:\Documents and Settings\JS\Cookies\[email protected][2].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][2].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][2].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][2].txt
    C:\Documents and Settings\JS\Cookies\[email protected][2].txt
    C:\Documents and Settings\JS\Cookies\[email protected][2].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][2].txt
    C:\Documents and Settings\JS\Cookies\[email protected][2].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][2].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][2].txt
    C:\Documents and Settings\JS\Cookies\[email protected][2].txt
    C:\Documents and Settings\JS\Cookies\[email protected][3].txt
    C:\Documents and Settings\JS\Cookies\[email protected][2].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][2].txt
    C:\Documents and Settings\JS\Cookies\[email protected][2].txt
    C:\Documents and Settings\JS\Cookies\[email protected][2].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][2].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt
    C:\Documents and Settings\JS\Cookies\[email protected][2].txt
    C:\Documents and Settings\JS\Cookies\[email protected][2].txt
    C:\Documents and Settings\JS\Cookies\[email protected][1].txt

    Adware.ClickSpring/Yazzle
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1848OINADMIN.EXE.VIR
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1848OINUNINSTALLER.EXE.VIR

    Adware.eZula
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\RWANVJHS.EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{68E6D20D-4A38-4176-9850-646A9CD1FC5A}\RP122\A0007414.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{68E6D20D-4A38-4176-9850-646A9CD1FC5A}\RP122\A0007416.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{68E6D20D-4A38-4176-9850-646A9CD1FC5A}\RP126\A0008716.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{68E6D20D-4A38-4176-9850-646A9CD1FC5A}\RP132\A0011815.EXE

    Adware.ClickSpring
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{68E6D20D-4A38-4176-9850-646A9CD1FC5A}\RP120\A0005110.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{68E6D20D-4A38-4176-9850-646A9CD1FC5A}\RP121\A0005711.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{68E6D20D-4A38-4176-9850-646A9CD1FC5A}\RP121\A0006744.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{68E6D20D-4A38-4176-9850-646A9CD1FC5A}\RP122\A0007183.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{68E6D20D-4A38-4176-9850-646A9CD1FC5A}\RP122\A0007417.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{68E6D20D-4A38-4176-9850-646A9CD1FC5A}\RP125\A0007476.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{68E6D20D-4A38-4176-9850-646A9CD1FC5A}\RP125\A0007480.EXE

    Adware.ClickSpring-Variant
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{68E6D20D-4A38-4176-9850-646A9CD1FC5A}\RP120\A0005117.EXE

    Trojan.Unknown Origin
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{68E6D20D-4A38-4176-9850-646A9CD1FC5A}\RP122\A0007184.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{68E6D20D-4A38-4176-9850-646A9CD1FC5A}\RP125\A0007477.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{68E6D20D-4A38-4176-9850-646A9CD1FC5A}\RP126\A0008713.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{68E6D20D-4A38-4176-9850-646A9CD1FC5A}\RP126\A0008714.EXE

    Trojan.Downloader-Gen/Installer
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{68E6D20D-4A38-4176-9850-646A9CD1FC5A}\RP126\A0008717.EXE

    Trojan.Downloader-Gen/WinAble-Installer
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{68E6D20D-4A38-4176-9850-646A9CD1FC5A}\RP126\A0008718.EXE

    Adware.Vundo-Variant
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{68E6D20D-4A38-4176-9850-646A9CD1FC5A}\RP128\A0010774.DLL



    Here is the HighJack Log:


    Logfile of HijackThis v1.99.1
    Scan saved at 9:50:36 PM, on 11/6/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\ctfmon.exe
    D:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HijackThis\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com.../en/x86/MuCatalogWebControl.cab?1192952756015
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1192962793484
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
     
  10. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Sorry for the delay, how is everything running??
     
  11. IamJack

    IamJack Thread Starter

    Joined:
    Nov 2, 2007
    Messages:
    7
    It's running smoothly and no more pop-ups, thanks for the help :)
     
  12. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Your Welcome!!!! (y)

    Lets finish up..

    Lets uninstall ComboFix, please go to Start---> Run---> In the space provided, type ComboFix /u---> A DOS window will appear and then disappear after a few seconds.


    Now that your system is clean you should SET A NEW RESTORE POINT to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.

    To SET A NEW RESTORE POINT:
    1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
    2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    3. Then go to Start > Run and type: Cleanmgr
    4. Click "OK".
    5. Click the "More Options" Tab.
    6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

    Graphics for doing this are in the following links if you need them.
    How to Create a Restore Point.
    How to use Cleanmgr.

    ======================================

    Here is some useful information on keeping your computer clean:
    1. Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update.
    2. Here are two great Preventive programs:
      • SpywareBlaster protects you from malicious ActiveX controls and cookies. Make sure and check for updates twice a month.
      • IESpyads adds a long list of bad sites to your Restricted sites in Internet Explorer and protects against drive by downloads.
    3. Surf Safe with McAfee's SiteAdisor. SiteAdisor will work with Internet Explorer and Mozilla Firefox. SiteAdisor is a browser plugin that assigns a safety rating to domains listed in your search engine. SiteAdvisor uses the following color codes to indicate the safety level of each site.
      • Red for Warning
      • Yellow for Use Caution
      • Green for Safe
      • Grey for Unknown

      Here are the link to install SiteAdisor in Internet Explorer and Firefox
    4. Anti-Spyware Programs I Recommend:
      • Free Anti-Spyware Programs
      • Great Subscription Anti-Spyware Programs
    5. For Even More Information On Securing Your Computer read Tony Klein's So How Did I Get Infected In The First Place
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/647103

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice