1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Backdoor.Graybird trojan

Discussion in 'Virus & Other Malware Removal' started by murtazaKara, Jul 3, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. murtazaKara

    murtazaKara Thread Starter

    Joined:
    Jul 3, 2007
    Messages:
    8
    Hi,

    I use XP SP2 with Norton 2004. Norton found this trojan, but couldn't get rid of it. Then following some of the posts here, I did a Panda Online scan, which disinfected another trojan called "downloader.coy", but couldn't find the graybird. Then used DrWeb-cureit, same result. Then used AVG Anti-spyware, which supposedly got rid of it. But then I did another Norton scan, and graybird is still here! I need expert help!

    Here is my newest Hijackthis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 1:37:14 AM, on 7/3/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\hphmon05.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
    C:\Program Files\HijackThis\HijackThis.exe
    C:\Program Files\WinEdt Team\WinEdt\WinEdt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webpine.washington.edu/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 4.79.245.93:80
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: SnapDetect.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su-newocx/ocx/15014/CTSUEng.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://www.econ.washington.edu/ts/msrdp.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/Coupons.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {9AC81071-4B2C-48DF-A245-C131DD64B7D2} (MachineCheck Class) - https://www.washington.edu/computing/security/unblock/machinecheck.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
    O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0007.exe
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su-newocx/ocx/15014/CTPID.cab
    O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://player.radyotvonline.com/ampx_en_dl.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    Thanks everyone!
     
  2. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    Download AVG Anti-Spyware

    http://www.ewido.net/en/


    * Once you have downloaded AVG Anti-spyware, locate the icon on the desktop
    and double-click it to launch the set up program.
    * Once the setup is complete you will need run AVG and update the definition
    files.
    * On the main screen select the icon "Update" then select the "Update now"
    link.
    * Next select the "Start Update" button, the update will start and a
    progress bar will show the updates being installed.
    * Once the update has completed select the "Scanner" icon at the top of the
    screen, then select the "Settings" tab.
    * Once in the Settings screen click on "Recommended actions" and then select
    "Delete"
    * Under "Reports"
    * Select "Automatically generate report after every scan"
    * Un-Select "Only if threats were found"


    Close AVG Anti-Spyware. Anti-spyware, Do NOT run a scan yet. We will do that
    later in safe mode.






    * Click here to download ATF Cleaner by Atribune and save it to your
    desktop.

    http://majorgeeks.com/ATF_Cleaner_d4949.html


    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.
    o If you use Firefox:
    + Click Firefox at the top and choose: Select All
    + Click the Empty Selected button.
    + NOTE: If you would like to keep your saved passwords,
    please click No at the prompt.
    o If you use Opera:
    + Click Opera at the top and choose: Select All
    + Click the Empty Selected button.
    + NOTE: If you would like to keep your saved passwords,
    please click No at the prompt.
    * Click Exit on the Main menu to close the program.


    * Click here for info on how to boot to safe mode if you don't already know
    how.

    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam



    * Now copy these instructions to notepad and save them to your desktop. You
    will need them to refer to in safe mode.


    * Restart your computer into safe mode now. Perform the following steps in
    safe mode:



    have hijack this fix these entries. close all browsers and programmes before
    clicking FIX.


    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0007.exe
    O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://player.radyotvonline.com/ampx_en_dl.cab





    Run AVG Anti-Spyware!

    # IMPORTANT: Do not open any other windows or programs while AVG is scanning
    as it may interfere with the scanning process:
    # Launch AVG Anti-spyware by double-clicking the icon on your desktop.
    # Select the "Scanner" icon at the top and then the "Scan" tab then click on
    "Complete System Scan".
    # AVG will now begin the scanning process. Be patient this may take a little
    time.
    Once the scan is complete do the following:
    # If you have any infections you will prompted, then select "Apply all
    actions"
    # Next select the "Reports" icon at the top.
    # Select the "Save report as" button in the lower left hand of the screen
    and save it to a text file on your system (make sure to remember where you
    saved that file, this is important).
    # Close AVG and reboot your system back into Normal Mode.


    Note: this is a stand alone, it doesn't install to start/programmes.

    Download Mwav,

    http://www.spywareinfo.dk/download/mwav.exe


    double click on it and it will extract to C:\kaspersky. Click
    on the kaspersky folder and click on Kavupd, a black dos window will open
    and it will update the programme for you, be patient it will take 5-10
    minutes to download the new definitions. Once it's updated, click on
    mwavscan
    to launch the programme.

    Use the defaults of:

    Memory
    startup folders
    Registry
    system folders
    services

    Choose drive , all drives and, click scan all files
    and then click scan/clean. After it finishes scanning and cleaning post
    the log here with a new hijack this log.

    Note: this is a very thorough scanner, it might take anything up to an hour
    or more, depending on how many drives you have and how badly infected your
    pc is.



    Highlight the portion of the scan that lists infected items and hold
    CTRL + C to Copy then paste it here. The whole log with be extremely
    big so there is no way to copy the whole thing. I just need the
    infected items list.



    Post a new hijack this, the Mwav scan log and the AVg antispware log!
     
  3. murtazaKara

    murtazaKara Thread Starter

    Joined:
    Jul 3, 2007
    Messages:
    8
    Thanks for your help, khazars. Here are the logs.

    NEW Hijackthis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:38:02 PM, on 7/3/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\hphmon05.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\TrojanHunter 4.7\THGuard.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
    c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webpine.washington.edu/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 4.79.245.93:80
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: SnapDetect.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su-newocx/ocx/15014/CTSUEng.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://www.econ.washington.edu/ts/msrdp.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/Coupons.cab
    O16 - DPF: {9AC81071-4B2C-48DF-A245-C131DD64B7D2} (MachineCheck Class) - https://www.washington.edu/computing/security/unblock/machinecheck.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su-newocx/ocx/15014/CTPID.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    --------------------------------------------------------------------------------------------------------

    Mwav log:

    File C:\Documents and Settings\burcu\Favorites\Afete Hazirlik Egitim Programi.url infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\Documents and Settings\burcu\Favorites\MP3Lerim.Com Sorunsuz Bedava MP3 Yükle MP3 Indir Türkçe Mp3 Türk Mp3 Video Klip Türkçe Müzik Music Download Mp3ler Mp3 Yabanci.url infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\Documents and Settings\murat\Application Data\Microsoft\Office\Recent\KURALLAR VE EKSTRA ISTEKLER 2007.LNK infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\Documents and Settings\murat\Favorites\portakal agaci pastalar arsivleri.url infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\Documents and Settings\murat\Favorites\Türkiye'de Merkez Bankaciligi.url infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\Documents and Settings\murat\My Documents\My Music\Nazan Öncel\Demir Leblebi\04 Asiklar Parki.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\Documents and Settings\murat\My Documents\My Music\Nazan Öncel\Demir Leblebi\06 Hizli Yasarken.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\Documents and Settings\murat\My Documents\My Music\Nazan Öncel\Demir Leblebi\07 Hep Yalniz.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\Documents and Settings\murat\My Documents\My Music\Nazan Öncel\Demir Leblebi\09 Kiz Bebek.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\Documents and Settings\murat\My Documents\My Music\Nazan Öncel\Demir Leblebi\10 Sokarim Politikana.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\Documents and Settings\murat\My Documents\My Music\zen\tanbul\01 ariza oyun havasi.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\Documents and Settings\murat\My Documents\My Music\zen\tanbul\05 agir hasta.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\Documents and Settings\murat\My Documents\My Music\zen\tanbul\09 islak kanatlar.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\Documents and Settings\murat\My Documents\My Music\zen\tanbul\11 yavastan gel.mp3 infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\Program Files\Norton AntiVirus\Quarantine\1A46579C.class infected by "Trojan.Java.ClassLoader.z" Virus. Action Taken: File Deleted.
    File C:\Program Files\Norton AntiVirus\Quarantine\219A6806.wm infected by "Exploit.Win32.IMG-WMF" Virus. Action Taken: File Renamed.
    File C:\Program Files\Norton AntiVirus\Quarantine\28707333.class infected by "Trojan-Downloader.Java.OpenStream.w" Virus. Action Taken: File Deleted.
    File C:\Program Files\Norton AntiVirus\Quarantine\287A7128.class infected by "Trojan-Downloader.Java.OpenStream.t" Virus. Action Taken: File Deleted.
    File C:\Program Files\Norton AntiVirus\Quarantine\28FA569C.class infected by "Exploit.Java.ByteVerify" Virus. Action Taken: File Renamed.
    File C:\Program Files\Norton AntiVirus\Quarantine\28FD0099.class infected by "Trojan.Java.ClassLoader.Dummy.d" Virus. Action Taken: File Deleted.
    File C:\Program Files\Norton AntiVirus\Quarantine\29035492.class infected by "Exploit.Java.ByteVerify" Virus. Action Taken: File Renamed.
    File C:\Program Files\Norton AntiVirus\Quarantine\29214E71.class infected by "Exploit.Java.ByteVerify" Virus. Action Taken: File Renamed.
    File C:\Program Files\Norton AntiVirus\Quarantine\37C42B60.class infected by "Trojan-Downloader.Java.OpenConnection.v" Virus. Action Taken: File Deleted.
    File C:\Program Files\Norton AntiVirus\Quarantine\486D75CA.zip infected by "Exploit.Java.ByteVerify" Virus. Action Taken: File Renamed.
    File C:\Program Files\Norton AntiVirus\Quarantine\520A011C.class infected by "Trojan.Java.ClassLoader.ak" Virus. Action Taken: File Deleted.
    File C:\Program Files\Norton AntiVirus\Quarantine\5EDB6581 infected by "Trojan-Downloader.Win32.INService.bl" Virus. Action Taken: File Deleted.
    File C:\Program Files\Norton AntiVirus\Quarantine\6CBF70D0.class infected by "Exploit.Java.ByteVerify" Virus. Action Taken: File Renamed.
    File C:\Program Files\Norton AntiVirus\Quarantine\7CBB27AB.class infected by "Trojan-Downloader.Java.OpenStream.w" Virus. Action Taken: File Deleted.
    ------------------------------------------------------------------------------------------------------


    AVG antispyware log:

    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 11:31:10 AM 7/2/2007

    + Scan result:



    C:\Documents and Settings\murat\DoctorWeb\Quarantine\cpbrkpie.ocx -> Adware.Coupons : No action taken.
    C:\Documents and Settings\murat\Application Data\Sun\Java\Deployment\cache\6.0\22\42815ed6-632303dd/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : No action taken.
    :mozilla.51:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
    :mozilla.12:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
    :mozilla.14:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
    :mozilla.16:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
    :mozilla.17:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
    :mozilla.18:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
    :mozilla.19:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
    :mozilla.121:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Clickagents : No action taken.
    :mozilla.50:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Cnn : No action taken.
    :mozilla.178:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Com : No action taken.
    :mozilla.15:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Coremetrics : No action taken.
    :mozilla.20:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
    :mozilla.334:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.
    :mozilla.335:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.
    :mozilla.336:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.
    :mozilla.339:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Estat : No action taken.
    :mozilla.250:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
    :mozilla.62:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
    :mozilla.63:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
    :mozilla.94:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Linksynergy : No action taken.
    :mozilla.95:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Linksynergy : No action taken.
    :mozilla.765:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Live : No action taken.
    :mozilla.766:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Live : No action taken.
    :mozilla.767:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Live : No action taken.
    :mozilla.770:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
    :mozilla.54:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
    :mozilla.873:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Paypal : No action taken.
    :mozilla.82:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
    :mozilla.83:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
    :mozilla.84:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
    :mozilla.85:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
    :mozilla.52:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
    :mozilla.53:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
    :mozilla.103:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Ru4 : No action taken.
    :mozilla.308:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
    :mozilla.309:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
    :mozilla.310:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
    :mozilla.311:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
    :mozilla.312:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
    :mozilla.313:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
    :mozilla.715:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Sitestat : No action taken.
    :mozilla.716:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Sitestat : No action taken.
    :mozilla.229:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
    :mozilla.7:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
    :mozilla.255:C:\Documents and Settings\murat\Application Data\Mozilla\Firefox\Profiles\qr6ddwpx.default\cookies.txt -> TrackingCookie.Webtrends : No action taken.
    :mozilla.73:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Webtrendslive : No action taken.
    :mozilla.10:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
    :mozilla.9:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
    :mozilla.124:C:\Documents and Settings\burcu\Application Data\Mozilla\Firefox\Profiles\ve3skpbm.default\cookies.txt -> TrackingCookie.Zedo : No action taken.


    ::Report end
     
  4. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    you need to run avg again, make sure to read the instructions properly in setting up AVg as it should clean/or quarantine what it finds!


    Also run these scnas when your finished with Avg .


    post another log, the avg and the super logs!
     
  5. murtazaKara

    murtazaKara Thread Starter

    Joined:
    Jul 3, 2007
    Messages:
    8
    Well, I was sure that I followed the instructions, but I guess I saved that report before AVG deleted those items. Here is the new AVG scan and it shows that the system is clean:

    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 12:47:33 PM 7/4/2007

    + Scan result:



    Nothing found.


    ::Report end
    ---------------------------------------------------------------------

    So I didn't bother doing other scans one more time. Is there anything I should be doing now, khazars? I will do one more Norton scan, that has been the only one catching the graybird so far.

    Thanks again...
     
  6. murtazaKara

    murtazaKara Thread Starter

    Joined:
    Jul 3, 2007
    Messages:
    8
    Actually, here is the newest Hijackthis log, just in case:


    Logfile of HijackThis v1.99.1
    Scan saved at 1:26:05 PM, on 7/4/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\hphmon05.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\TrojanHunter 4.7\THGuard.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webpine.washington.edu/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 4.79.245.93:80
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: SnapDetect.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su-newocx/ocx/15014/CTSUEng.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://www.econ.washington.edu/ts/msrdp.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/Coupons.cab
    O16 - DPF: {9AC81071-4B2C-48DF-A245-C131DD64B7D2} (MachineCheck Class) - https://www.washington.edu/computing/security/unblock/machinecheck.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su-newocx/ocx/15014/CTPID.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
  7. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    go here and empty out this folder!


    C:\Program Files\Norton AntiVirus\Quarantine\



    Go here and downlaod the latest version of java, once
    downloaded, go to add/remove and uninstall all previous versions of java
    from add/remove and then instlall the latest version you just downloaded!


    http://java.com/en/download/manual.jsp


    you don't appear to have a firewall, even if you have a router you still
    need
    a software frewall, downlaod the one from the link below!



    Comodo firewall. Sign up it's free!

    http://www.personalfirewall.trustix.com/


    Threads on comodo!

    http://www.wilderssecurity.com/forumdisplay.php?f=31




    go to this site and download these tools and once you get both
    adaware Se 1.6 and spybot, update both of them.

    Set adaware to do a full system scan and deselect, "search for neglible risk
    entries". Click next to start the scan. Delete everything adaware finds.

    reboot and now run spybot

    Spybot: Search and destroy.

    Delete what spybot finds marked in red. After updating spybot hit the
    immunize button.




    Download Superantispyware (SAS):

    http://www.superantispyware.com/supe....html?rid=3132


    Once downloaded and installed update the defintions
    and then run a full system scan quarantine what it finds!


    * Double-click SUPERAntiSypware.exe and use the default settings for
    installation.
    * An icon will be created on your desktop. Double-click that icon to launch
    the program.
    * If asked to update the program definitions, click "Yes". If not, update
    the definitions before scanning by selecting "Check for Updates". (If you
    encounter any problems while downloading the updates, manually download and
    unzip them from here.)

    http://www.superantispyware.com/definitions.html

    * Under "Configuration and Preferences", click the Preferences button.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all
    others unchecked):
    o Close browsers before scanning.
    o Scan for tracking cookies.
    o Terminate memory threats before quarantining.
    * Click the "Close" button to leave the control center screen.
    * Back on the main screen, under "Scan for Harmful Software" click Scan your
    computer.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, under "Complete Scan", choose Perform Complete Scan.
    * Click "Next" to start the scan. Please be patient while it scans your
    computer.
    * After the scan is complete, a Scan Summary box will appear with
    potentially harmful items that were detected. Click "OK".
    * Make sure everything has a checkmark next to it and click "Next".
    * A notification will appear that "Quarantine and Removal is Complete".
    Click "OK" and then click the "Finish" button to return to the main menu.
    * If asked if you want to reboot, click "Yes".
    * To retrieve the removal information after reboot, launch SUPERAntispyware
    again.
    o Click Preferences, then click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o If there are several logs, click the current dated log and press View log.
    A text file will open in your default text editor.
    o Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.


    All tools can be downloaded at the link below and found on that page!

    . SUPERAntiSpyware
    . SpyBot search and destroy
    . AdAware SE personal



    http://www.majorgeeks.com/downloads31.html


    post another log annd the super log!
     
  8. murtazaKara

    murtazaKara Thread Starter

    Joined:
    Jul 3, 2007
    Messages:
    8
    Hello again khazars,

    I did all of the things you said. As a result SuperAntiSpyware couldn't find a thing on the computer. But I also did a Norton scan in the end, and our beloved friend Backdoor.Graybird is still here! I am pissed off and one step away from reformatting the drive, please help me get rid of this thing...

    Here are the logs:

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/04/2007 at 06:27 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3265
    Trace Rules Database Version: 1276

    Scan type : Complete Scan
    Total Scan Time : 01:05:53

    Memory items scanned : 450
    Memory threats detected : 0
    Registry items scanned : 5884
    Registry threats detected : 0
    File items scanned : 40544
    File threats detected : 0



    ------------------------------------------------------------------------------------------------
    Logfile of HijackThis v1.99.1
    Scan saved at 1:11:57 PM, on 7/5/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\hphmon05.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\TrojanHunter 4.7\THGuard.exe
    C:\Program Files\Comodo\Firewall\CPF.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HijackThis\HijackThis.exe
    C:\Program Files\WinEdt Team\WinEdt\WinEdt.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webpine.washington.edu/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 4.79.245.93:80
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: SnapDetect.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su-newocx/ocx/15014/CTSUEng.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://www.econ.washington.edu/ts/msrdp.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/Coupons.cab
    O16 - DPF: {9AC81071-4B2C-48DF-A245-C131DD64B7D2} (MachineCheck Class) - https://www.washington.edu/computing/security/unblock/machinecheck.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup161.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su-newocx/ocx/15014/CTPID.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
    O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
  9. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    where does norton say the file is, post it's name and the full location?
     
  10. murtazaKara

    murtazaKara Thread Starter

    Joined:
    Jul 3, 2007
    Messages:
    8
    Well it always catches it at a different location, one before the last was at Temp folder, I emptied it using ATF. I don't remember the last one though. Does Norton keep a log of these scans?
     
  11. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    yes open up Norton and navigate to the quarantine folder!

    It could be a false posiitve and if it's in the temp folder it cna be easily emptied!
     
  12. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    Fix this with hijack this!

    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\


    How old is your version of Norton?

    Norton is a reosurce hog and is not that very good, there are many good free versions available!
     
  13. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    Ok, I see Norton is 2004, you should uninstlal Norton and downlaod Anti vir, instlal and update Anti vir and do a full system scan with it and post it's log here!




    Norton uninstallation guidelines!


    Because of the problems encountered by many posters to this and many
    other forums I have decided to write a thread on how to remove Norton
    anti virus!


    This guideline can also be used for the removal of McAfee or any other
    anti virus program!


    open Norton anti virus, click about, and obtain the version of Norton
    anti virus you have, should be a year like 2002 etc!


    You will need this to determine what version you have if you need to
    use the Norton uninstallers!



    Please download these uninstallers for whatever version of Norton
    below and have them ready if needed!


    Download them to somewhere you can find them like your desktop!




    Uninstall Norton Anti virus. USe Norton's knowledge base.


    This link below for Norton 2003-2007


    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039



    This link below is for Norton 2000-2002

    http://service1.symantec.com/SUPPORT/nsw.nsf/docid/2001101612274407




    Before uninstalling Norton do these instructions first!



    go to start/run/type msconfig/click ok/tick the radial dial selective
    startup/click the startup tab/ uncheck any boxes to do with Symantec,
    Norton and live update!

    then click ok and then exit!



    Also do this and disable any running Norton/Symantec services!



    Click Start > Run > and type in:

    services.msc

    Click OK.

    In the services window find Winlogon Notify: Automatic LiveUpdate Scheduler
    Right click and choose "Properties". On the "General" tab under "Service
    Status" click the "Stop" button to stop the service. Beside "Startup Type"
    in the dropdown menu select "Disabled". Click Apply then OK. Exit the
    Services utility.


    Note: You may get an error here when trying to access the properties of
    the service. If you do get an error, just select the service and look
    there in the top left of the main service window and click "Stop" to
    stop the service. If that gives an error or it is already stopped, just
    skip this step and proceed with the rest.



    Then disable all of these services by repeating the above!



    These are optional, there maybe others not mentioned here, disable
    whatever Norton/Symantec you find!


    Note: you will alos do this if uninstalling McAfee or any other anti
    virus!


    Automatic LiveUpdate Scheduler
    Symantec Event Manager (ccEvtMgr) Symantec Settings Manager (ccSetMgr)
    Symantec Lic NetConnect service (CLTNetCnService) IS Password Validation
    (ISPwdSvc) LiveUpdate
    Norton UnErase Protection (NProtectService) -
    Speed Disk service - Symantec Corporation -
    Symantec AppCore Service (SymAppCore)



    Then go to add/remove in control panel and click to remove Norton!


    If this fails, then run the uninstaller for the version you have!
     
  14. murtazaKara

    murtazaKara Thread Starter

    Joined:
    Jul 3, 2007
    Messages:
    8
    I finally tracked down the virus by scanning folder by folder and deleted that file myself (didn't let Norton do it). The norton scan after that came out clean. But nevertheless, I know that Norton isn't very effective, I am using Avast on my desktop for example. So I'll get rid of it.

    But one question: You say "install antivirus instead of Norton" but don't mention which one. Is it AVG?

    Thanks for your help again...
     
  15. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    Anti-vir

    http://www.free-av.com/




    You should now turn off system restore to flush out the bad restore points
    and
    then re-enable it and make a new clean restore point.


    How to turn off system restore

    http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam


    http://support.microsoft.com/default.aspx?scid=kb;[LN];310405




    Here's some free tools to keep you from getting infected in the future.


    To stop reinfection get spywareblaster from


    http://www.javacoolsoftware.com/downloads.html


    get the hosts file from here.Unzip it to a folder!



    http://www.mvps.org/winhelp2002/hosts.htm


    put it into : or click the mvps bat and it should do it for you!


    Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
    Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
    Win 98\ME = C:\WINDOWS



    ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

    when you visit innocent-looking sites that aren't actually innocent at all.


    http://www.spywarewarrior.com/uiuc/resource.htm


    BoClean. Anti trojan and much more, Free from Comodo!

    http://www.comodo.com/boclean/boclean.html


    Spyware Terminator

    http://www.spywareterminator.com/dnl/landing.aspx


    In spyware terminator, click real time protection and tick the box to use
    real time protection and tick all the boxes except file exceptions shield.
    If your confident in using its advanced feature, click advanced and tick
    the HIPS box.

    If you want to install and uninstall programs it is best to
    temporarily disable Spyware terminator and then re-enable it after you
    have installed or uninstalled a program as it will create a lot of pop ups
    asking you do you wish this to happen!

    Right click spyware terminator on the bottom right of your status bar and
    choose exit.Then tick the box and that is spyware terminator disabled!




    Use spybot's immunize button and use spywareblaster' enable
    protection once you update it. you can put spybot's hosts file into
    your own and lock it.



    I would also suggest switching to Mozilla's firefox browser, it's safer, has
    a built in pop up blocker, blocks cookies and adds. Mozilla Thunderbird is
    also a good
    e-mail client.

    http://www.mozilla.org/


    Another good and free browser is Opera!

    http://www.opera.com/


    Read here to see how to tighten your security:

    http://forums.techguy.org/t208517.html


    A good overall guide for firewalls, anti-virus, and anti-trojans as well as
    regular spyware cleaners.

    http://www.firewallguide.com/anti-trojan.htm



    you can mark your own thread solved through thread tools at the top of
    the page.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/591225

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice